GHSA-5jpx-9hw9-2fx4: NextAuthjs Email misdelivery Vulnerability
NextAuth.js’s email sign-in can be forced to deliver authentication emails to an attacker-controlled mailbox due to a bug in nodemailer’s address parser used by the project (fixed in nodemailer v7.0.7). A crafted input such as:
"e@attacker.com"@victim.com
is parsed incorrectly and results in the message being delivered to e@attacker.com (attacker) instead of "<e@attacker.com>@victim.com" (the intended recipient at victim.com) in violation of RFC 5321/5322 semantics. This allows an attacker to receive login/verification links or other sensitive emails intended for the victim.
| ≤ Version | Afftected |
|---|---|
| 4.24.11 | Yes |
| 5.0.0-beta.29 | Yes |
References
- github.com/advisories/GHSA-5jpx-9hw9-2fx4
- github.com/nextauthjs/next-auth
- github.com/nextauthjs/next-auth/commit/82efcf81f218aae43683f8dd2f7c260ef69b3ece
- github.com/nextauthjs/next-auth/commit/8f3b2c7af0fe08973a12f616517c3ec85a5cd172
- github.com/nextauthjs/next-auth/security/advisories/GHSA-5jpx-9hw9-2fx4
Code Behaviors & Features
Detect and mitigate GHSA-5jpx-9hw9-2fx4 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →