CVE-2022-35924: Verification requests (magic link) sent to unwanted emails
First published: Tue Aug 02 2022(Updated: )
NextAuth.js is a complete open source authentication solution for Next.js applications. `next-auth` users who are using the `EmailProvider` either in versions before `4.10.3` or `3.29.10` are affected. If an attacker could forge a request that sent a comma-separated list of emails (eg.: `attacker@attacker.com,victim@victim.com`) to the sign-in endpoint, NextAuth.js would send emails to both the attacker and the victim's e-mail addresses. The attacker could then login as a newly created user with the email being `attacker@attacker.com,victim@victim.com`. This means that basic authorization like `email.endsWith("@victim.com")` in the `signIn` callback would fail to communicate a threat to the developer and would let the attacker bypass authorization, even with an `@attacker.com` address. This vulnerability has been patched in `v4.10.3` and `v3.29.10` by normalizing the email value that is sent to the sign-in endpoint before accessing it anywhere else. We also added a `normalizeIdentifier` callback on the `EmailProvider` configuration, where you can further tweak your requirements for what your system considers a valid e-mail address. (E.g.: strict RFC2821 compliance). Users are advised to upgrade. There are no known workarounds for this vulnerability. If for some reason you cannot upgrade, you can normalize the incoming request using Advanced Initialization.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Nextauth.js Next-auth | <3.29.10 | |
| Nextauth.js Next-auth | >=4.0.0<4.10.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://en.wikipedia.org/wiki/Email_address#Local-part
- https://github.com/nextauthjs/next-auth/commit/afb1fcdae3cc30445038ef588e491d139b916003
- https://github.com/nextauthjs/next-auth/security/advisories/GHSA-xv97-c62v-4587
- https://next-auth.js.org/configuration/callbacks#sign-in-callback
- https://next-auth.js.org/configuration/initialization#advanced-initialization
- https://next-auth.js.org/providers/email
- https://next-auth.js.org/providers/email#normalizing-the-e-mail-address
- https://nodemailer.com/message/addresses
Frequently Asked Questions
What is CVE-2022-35924?
CVE-2022-35924 is a vulnerability in NextAuth.js that affects users using the EmailProvider in versions before 4.10.3 or 3.29.10.
What is the severity of CVE-2022-35924?
The severity of CVE-2022-35924 is critical, with a CVSS score of 9.1.
How does CVE-2022-35924 affect NextAuth.js users?
CVE-2022-35924 allows an attacker to forge a request that sends a comma-separated list of emails, potentially leading to unauthorized access and other malicious activities.
How can I fix CVE-2022-35924?
To fix CVE-2022-35924, NextAuth.js users should upgrade to version 4.10.3 or higher if using the EmailProvider.
Are there any references for CVE-2022-35924?
Yes, you can find references for CVE-2022-35924 at the following links: [1] https://en.wikipedia.org/wiki/Email_address#Local-part, [2] https://github.com/nextauthjs/next-auth/commit/afb1fcdae3cc30445038ef588e491d139b916003, [3] https://github.com/nextauthjs/next-auth/security/advisories/GHSA-xv97-c62v-4587
- collector/nvd-index
- agent/type
- agent/references
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/remedy
- agent/author
- agent/weakness
- agent/title
- agent/severity
- agent/first-publish-date
- agent/event
- agent/description
- agent/tags
- agent/source
- vendor/nextauth.js
- canonical/nextauth.js next-auth
- version/nextauth.js next-auth/4.0.0