CVE-2022-31127

Name of the Vulnerable Software and Affected Versions NextAuth.js versions prior to 3.29.8 NextAuth.js versions prior to 4.9.0

Description An attacker can pass a compromised input to the e-mail signin endpoint that contains some malicious HTML, tricking the e-mail server to send it to the user, so they can perform a phishing attack. For example, an attacker can send an email with a link to their site, which will be rendered in the HTML. This issue has been remedied in the following releases by not rendering the email in the HTML.

The vulnerable email parameter is passed to sendVerificationRequest and rendered in the HTML. If a custom sendVerificationRequest is created, it is necessary to either exclude email from the HTML body or efficiently sanitize it.

Recommendations For NextAuth.js versions prior to 3.29.8, upgrade to version 3.29.8 or later. For NextAuth.js versions prior to 4.9.0, upgrade to version 4.9.0 or later. As a temporary workaround, consider sanitizing the email parameter that is passed to sendVerificationRequest and rendered in the HTML. If a custom sendVerificationRequest is created, make sure to either exclude email from the HTML body or efficiently sanitize it.