ghsa-pgjx-7f9g-9463
Vulnerability from github
Published
2022-07-06 19:27
Modified
2022-07-06 19:27
Severity ?
7.1 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Summary
Improper handling of email input
Details

Impact

An attacker can pass a compromised input to the e-mail signin endpoint that contains some malicious HTML, tricking the e-mail server to send it to the user, so they can perform a phishing attack. Eg.: balazs@email.com, <a href="http://attacker.com">Before signing in, claim your money!</a>. This was previously sent to balazs@email.com, and the content of the email containing a link to the attacker's site was rendered in the HTML. This has been remedied in the following releases, by simply not rendering that e-mail in the HTML, since it should be obvious to the receiver what e-mail they used:

next-auth v3 users before version 3.29.8 are impacted. (We recommend upgrading to v4, as v3 is considered unmaintained. See our migration guide)

next-auth v4 users before version 4.8.0 are impacted.

Patches

We've released patches for this vulnerability in:

  • v3 - 3.29.8
  • v4 - 4.9.0

You can do:

```sh npm i next-auth@latest

or

yarn add next-auth@latest

pnpm add next-auth@latest ```

(This will update to the latest v4 version, but you can change latest to 3 if you want to stay on v3. This is not recommended.)

Workarounds

If for some reason you cannot upgrade, the workaround requires you to sanitize the email parameter that is passed to sendVerificationRequest and rendered in the HTML. If you haven't created a custom sendVerificationRequest, you only need to upgrade. Otherwise, make sure to either exclude email from the HTML body or efficiently sanitize it. Check out https://next-auth.js.org/providers/email#customizing-emails

References

Related documentation:

  • https://next-auth.js.org/providers/email#customizing-emails
  • https://next-auth.js.org/getting-started/upgrade-v4

A test case has been added so this kind of issue will be checked before publishing. See: https://github.com/nextauthjs/next-auth/blob/cd6ccfde898037290ae949d500ace8a378376cd8/packages/next-auth/tests/email.test.ts

For more information

If you have any concerns, we request responsible disclosure, outlined here: https://next-auth.js.org/security#reporting-a-vulnerability

Timeline

The issue was reported 2022 June 29th, a response was sent out to the reporter in less than 1 hour, and after identifying the issue a patch was published within 4 working days.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "next-auth"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.29.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "next-auth"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.9.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-31127"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-06T19:27:45Z",
    "nvd_published_at": "2022-07-06T18:15:00Z",
    "severity": "HIGH"
  },
  "details": "### Impact\n\nAn attacker can pass a compromised input to the e-mail [signin endpoint](https://next-auth.js.org/getting-started/rest-api#post-apiauthsigninprovider) that contains some malicious HTML, tricking the e-mail server to send it to the user, so they can perform a phishing attack. Eg.: `balazs@email.com, \u003ca href=\"http://attacker.com\"\u003eBefore signing in, claim your money!\u003c/a\u003e`. This was previously sent to `balazs@email.com`, and the content of the email containing a link to the attacker\u0027s site was rendered in the HTML. This has been remedied in the following releases, by simply not rendering that e-mail in the HTML, since it should be obvious to the receiver what e-mail they used:\n\nnext-auth v3 users before version 3.29.8 are impacted. (We recommend upgrading to v4, as v3 is considered unmaintained. See our [migration guide](https://next-auth.js.org/getting-started/upgrade-v4))\n\nnext-auth v4 users before version 4.8.0 are impacted.\n\n### Patches\n\nWe\u0027ve released patches for this vulnerability in:\n  \n- v3 - `3.29.8`\n- v4 - `4.9.0`\n\nYou can do:\n\n```sh\nnpm i next-auth@latest\n# or\nyarn add next-auth@latest\n#\npnpm add next-auth@latest\n```\n\n(This will update to the latest v4 version, but you can change  `latest` to `3` if you want to stay on v3. This is not recommended.)\n\n### Workarounds\n\nIf for some reason you cannot upgrade, the workaround requires you to sanitize the `email` parameter that is passed to `sendVerificationRequest` and rendered in the HTML. If you haven\u0027t created a custom `sendVerificationRequest`, you only need to upgrade. Otherwise, make sure to either exclude `email` from the HTML body or efficiently sanitize it. Check out https://next-auth.js.org/providers/email#customizing-emails\n\n### References\n\n\nRelated documentation:\n\n- https://next-auth.js.org/providers/email#customizing-emails\n- https://next-auth.js.org/getting-started/upgrade-v4\n\nA test case has been added so this kind of issue will be checked before publishing. See: https://github.com/nextauthjs/next-auth/blob/cd6ccfde898037290ae949d500ace8a378376cd8/packages/next-auth/tests/email.test.ts\n\n### For more information\n\nIf you have any concerns, we request responsible disclosure, outlined here: https://next-auth.js.org/security#reporting-a-vulnerability\n\n### Timeline\n\nThe issue was reported 2022 June 29th, a response was sent out to the reporter in less than 1 hour, and after identifying the issue a patch was published within 4 working days.",
  "id": "GHSA-pgjx-7f9g-9463",
  "modified": "2022-07-06T19:27:45Z",
  "published": "2022-07-06T19:27:45Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-pgjx-7f9g-9463"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-31127"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nextauthjs/next-auth/commit/ae834f1e08a4a9915665eecb9479c74c6b039c9c"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/nextauthjs/next-auth"
    },
    {
      "type": "WEB",
      "url": "https://github.com/nextauthjs/next-auth/releases/tag/next-auth%40v4.9.0"
    },
    {
      "type": "WEB",
      "url": "https://next-auth.js.org/getting-started/upgrade-v4"
    },
    {
      "type": "WEB",
      "url": "https://next-auth.js.org/providers/email#customizing-emails"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Improper handling of email input"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.