On July 26, 2022, a known security vulnerability affecting an NPM package, Nextauth.js was made public. These bugs allow attackers to take over a victim’s email account.
NextAuth.js is a complete open-source authentication solution for Next.js applications. It is designed from the ground up to support Next.js and Serverless.
Track as CVE-2022-35924, the flaw is an authentication bypass bug with a CVSS score of 9.1. Rated as critical severity, users of the NPM package next-auth who are using the EmailProvider either in versions before 4.10.3 or 3.29.10 are affected by the security vulnerability.
“If an attacker could forge a request that sent a comma-separated list of emails (eg.: attacker@attacker.com,victim@victim.com) to the sign-in endpoint, NextAuth.js would send emails to both the attacker and the victim’s e-mail addresses. The attacker could then login as a newly created user with the email being attacker@attacker.com,victim@victim.com. This means that basic authorization like email.endsWith(“@victim.com”) in the signIn callback would fail to communicate a threat to the developer and would let the attacker bypass authorization, even with an @attacker.com address,” read the advisory.
NextAuth.js maintainers have released versions v4.10.3 and v3.29.10 to fix the CVE-2022-35924 flaw, user should update to the latest version as soon as possible. “We patched this vulnerability in v4.10.3 and v3.29.10 by normalizing the email value that is sent to the sign-in endpoint before accessing it anywhere else. We also added a normalizeIdentifier callback on the EmailProvider configuration, where you can further tweak your requirements for what your system considers a valid e-mail address,” explain the maintainers.