Skip to content

Improper handling of email input

High severity GitHub Reviewed Published Jul 6, 2022 in nextauthjs/next-auth • Updated Jan 27, 2023

Package

npm next-auth (npm)

Affected versions

< 3.29.8
>= 4.0.0, < 4.9.0

Patched versions

3.29.8
4.9.0

Description

Impact

An attacker can pass a compromised input to the e-mail signin endpoint that contains some malicious HTML, tricking the e-mail server to send it to the user, so they can perform a phishing attack. Eg.: [email protected], <a href="http://attacker.com">Before signing in, claim your money!</a>. This was previously sent to [email protected], and the content of the email containing a link to the attacker's site was rendered in the HTML. This has been remedied in the following releases, by simply not rendering that e-mail in the HTML, since it should be obvious to the receiver what e-mail they used:

next-auth v3 users before version 3.29.8 are impacted. (We recommend upgrading to v4, as v3 is considered unmaintained. See our migration guide)

next-auth v4 users before version 4.8.0 are impacted.

Patches

We've released patches for this vulnerability in:

  • v3 - 3.29.8
  • v4 - 4.9.0

You can do:

npm i next-auth@latest
# or
yarn add next-auth@latest
#
pnpm add next-auth@latest

(This will update to the latest v4 version, but you can change latest to 3 if you want to stay on v3. This is not recommended.)

Workarounds

If for some reason you cannot upgrade, the workaround requires you to sanitize the email parameter that is passed to sendVerificationRequest and rendered in the HTML. If you haven't created a custom sendVerificationRequest, you only need to upgrade. Otherwise, make sure to either exclude email from the HTML body or efficiently sanitize it. Check out https://next-auth.js.org/providers/email#customizing-emails

References

Related documentation:

A test case has been added so this kind of issue will be checked before publishing. See: https://github.com/nextauthjs/next-auth/blob/cd6ccfde898037290ae949d500ace8a378376cd8/packages/next-auth/tests/email.test.ts

For more information

If you have any concerns, we request responsible disclosure, outlined here: https://next-auth.js.org/security#reporting-a-vulnerability

Timeline

The issue was reported 2022 June 29th, a response was sent out to the reporter in less than 1 hour, and after identifying the issue a patch was published within 4 working days.

References

@balazsorban44 balazsorban44 published to nextauthjs/next-auth Jul 6, 2022
Published by the National Vulnerability Database Jul 6, 2022
Published to the GitHub Advisory Database Jul 6, 2022
Reviewed Jul 6, 2022
Last updated Jan 27, 2023

Severity

High

CVSS overall score

This score calculates overall vulnerability severity from 0 to 10 and is based on the Common Vulnerability Scoring System (CVSS).
/ 10

CVSS v3 base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
Low

CVSS v3 base metrics

Attack vector: More severe the more the remote (logically and physically) an attacker can be in order to exploit the vulnerability.
Attack complexity: More severe for the least complex attacks.
Privileges required: More severe if no privileges are required.
User interaction: More severe when no user interaction is required.
Scope: More severe when a scope change occurs, e.g. one vulnerable component impacts resources in components beyond its security scope.
Confidentiality: More severe when loss of data confidentiality is highest, measuring the level of data access available to an unauthorized user.
Integrity: More severe when loss of data integrity is the highest, measuring the consequence of data modification possible by an unauthorized user.
Availability: More severe when the loss of impacted component availability is highest.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

EPSS score

0.140%
(50th percentile)

Weaknesses

CVE ID

CVE-2022-31127

GHSA ID

GHSA-pgjx-7f9g-9463

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.