CVE-2022-35924

Name of the Vulnerable Software and Affected Versions NextAuth.js versions prior to 4.10.3 NextAuth.js versions prior to 3.29.10

Description The issue allows an attacker to forge a request that sends a comma-separated list of emails to the sign-in endpoint, resulting in emails being sent to both the attacker and the victim's email addresses. The attacker can then login as a newly created user with the email being a combination of the attacker's and victim's email addresses, potentially bypassing basic authorization. This is possible because the email.endsWith("@victim.com") check in the signIn callback would fail to communicate a threat to the developer. The vulnerability has been patched by normalizing the email value sent to the sign-in endpoint.

Recommendations For versions prior to 4.10.3, upgrade to version 4.10.3 or later by running npm i next-auth@latest, yarn add next-auth@latest, or pnpm add next-auth@latest. For versions prior to 3.29.10, upgrade to version 3.29.10 or later, or consider staying on the v4 version. If an upgrade is not possible, normalize the incoming request using Advanced Initialization, such as implementing a function to normalize the email identifier, for example:

function normalize(identifier) {
 let [local, domain] = identifier.toLowerCase().trim().split("@")
 domain = domain.split(",")[0]
 return `${local}@${domain}`
}