Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1wZ2p4LTdmOWctOTQ2M84AAtHy

Improper handling of email input

Impact

An attacker can pass a compromised input to the e-mail signin endpoint that contains some malicious HTML, tricking the e-mail server to send it to the user, so they can perform a phishing attack. Eg.: [email protected], <a href="http://attacker.com">Before signing in, claim your money!</a>. This was previously sent to [email protected], and the content of the email containing a link to the attacker's site was rendered in the HTML. This has been remedied in the following releases, by simply not rendering that e-mail in the HTML, since it should be obvious to the receiver what e-mail they used:

next-auth v3 users before version 3.29.8 are impacted. (We recommend upgrading to v4, as v3 is considered unmaintained. See our migration guide)

next-auth v4 users before version 4.8.0 are impacted.

Patches

We've released patches for this vulnerability in:

You can do:

npm i next-auth@latest
# or
yarn add next-auth@latest
#
pnpm add next-auth@latest

(This will update to the latest v4 version, but you can change latest to 3 if you want to stay on v3. This is not recommended.)

Workarounds

If for some reason you cannot upgrade, the workaround requires you to sanitize the email parameter that is passed to sendVerificationRequest and rendered in the HTML. If you haven't created a custom sendVerificationRequest, you only need to upgrade. Otherwise, make sure to either exclude email from the HTML body or efficiently sanitize it. Check out https://next-auth.js.org/providers/email#customizing-emails

References

Related documentation:

A test case has been added so this kind of issue will be checked before publishing. See: https://github.com/nextauthjs/next-auth/blob/cd6ccfde898037290ae949d500ace8a378376cd8/packages/next-auth/tests/email.test.ts

For more information

If you have any concerns, we request responsible disclosure, outlined here: https://next-auth.js.org/security#reporting-a-vulnerability

Timeline

The issue was reported 2022 June 29th, a response was sent out to the reporter in less than 1 hour, and after identifying the issue a patch was published within 4 working days.

Permalink: https://github.com/advisories/GHSA-pgjx-7f9g-9463
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1wZ2p4LTdmOWctOTQ2M84AAtHy
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: over 1 year ago
Updated: about 1 year ago


CVSS Score: 7.1
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

Identifiers: GHSA-pgjx-7f9g-9463, CVE-2022-31127
References: Repository: https://github.com/nextauthjs/next-auth

Affected Packages

npm:next-auth
Dependent packages: 304
Dependent repositories: 19,200
Downloads: 3,604,982 last month
Affected Version Ranges: >= 4.0.0, < 4.9.0, < 3.29.8
Fixed in: 4.9.0, 3.29.8
All affected versions: 1.0.0, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.5, 1.1.6, 1.1.7, 1.1.8, 1.1.9, 1.1.10, 1.2.1, 1.3.0, 1.4.0, 1.4.1, 1.5.0, 1.5.1, 1.6.0, 1.7.0, 1.7.1, 1.7.2, 1.7.3, 1.8.0, 1.8.1, 1.8.2, 1.8.3, 1.8.4, 1.8.5, 1.9.0, 1.9.1, 1.10.0, 1.11.0, 1.12.0, 1.12.1, 2.0.0, 2.0.1, 2.1.0, 2.2.0, 3.0.0, 3.0.1, 3.1.0, 3.2.0, 3.2.1, 3.3.0, 3.3.1, 3.4.0, 3.4.1, 3.4.2, 3.5.0, 3.5.1, 3.6.0, 3.6.1, 3.7.0, 3.7.1, 3.8.0, 3.9.0, 3.10.0, 3.10.1, 3.11.0, 3.11.1, 3.11.2, 3.12.0, 3.13.0, 3.13.1, 3.13.2, 3.13.3, 3.14.0, 3.14.1, 3.14.2, 3.14.3, 3.14.4, 3.14.5, 3.14.6, 3.14.7, 3.14.8, 3.15.0, 3.15.1, 3.15.4, 3.15.5, 3.15.6, 3.15.7, 3.15.8, 3.15.9, 3.15.10, 3.15.11, 3.15.12, 3.15.13, 3.16.0, 3.16.1, 3.17.0, 3.17.1, 3.17.2, 3.18.0, 3.18.1, 3.18.2, 3.19.0, 3.19.1, 3.19.2, 3.19.3, 3.19.4, 3.19.5, 3.19.6, 3.19.7, 3.19.8, 3.20.0, 3.20.1, 3.21.0, 3.21.1, 3.22.0, 3.23.0, 3.23.1, 3.23.2, 3.23.3, 3.24.0, 3.24.1, 3.25.0, 3.26.0, 3.26.1, 3.27.0, 3.27.1, 3.27.2, 3.27.3, 3.28.0, 3.29.0, 3.29.1, 3.29.3, 3.29.4, 3.29.5, 3.29.6, 3.29.7, 4.0.0, 4.0.1, 4.0.2, 4.0.3, 4.0.4, 4.0.5, 4.0.6, 4.1.0, 4.1.1, 4.1.2, 4.2.0, 4.2.1, 4.3.0, 4.3.1, 4.3.2, 4.3.3, 4.3.4, 4.4.0, 4.5.0, 4.6.0, 4.6.1, 4.7.0, 4.8.0
All unaffected versions: 3.29.8, 3.29.9, 3.29.10, 4.9.0, 4.10.0, 4.10.1, 4.10.2, 4.10.3, 4.11.0, 4.12.0, 4.12.1, 4.12.2, 4.12.3, 4.13.0, 4.14.0, 4.15.0, 4.15.1, 4.15.2, 4.16.0, 4.16.1, 4.16.2, 4.16.3, 4.16.4, 4.17.0, 4.18.0, 4.18.1, 4.18.2, 4.18.3, 4.18.4, 4.18.5, 4.18.6, 4.18.7, 4.18.8, 4.18.9, 4.18.10, 4.19.0, 4.19.1, 4.19.2, 4.20.0, 4.20.1, 4.21.0, 4.21.1, 4.22.0, 4.22.1, 4.22.2, 4.22.3, 4.22.4, 4.22.5, 4.23.0, 4.23.1, 4.23.2, 4.24.0, 4.24.1, 4.24.2, 4.24.3, 4.24.4, 4.24.5, 4.24.6, 4.24.7