Authentication bypass bug in Nextauth.js could allow email account takeover

A critical authentication bypass flaw in an NPM package could allow a malicious actor to take over a victim’s email account.

The vulnerability, which was rated a CVSS score of 9.1, was present in Nextauth.js, an open source authentication package for next.js applications.

Users of NPM package next-auth who are using the EmailProvider either in versions before 4.10.3 or 3.29.10 are affected by the bug, a security advisory warns.

If an attacker could forge a request that sent a comma-separated list of emails, for example attacker@attacker.com,victim@victim.com, to the sign-in endpoint, Nextauth.js would send emails to both the attacker and to the victim’s email addresses.

The attacker could then login as a newly created user with the email being attacker@attacker.com,victim@victim.com.

Basic authorization such as email.endsWith(“@victim.com”) in the signIn callback would fail to communicate a threat to the developer and would let the attacker bypass authorization, even with an @attacker.com address.

Patched

The vulnerability has been patched by maintainers in v4.10.3 and v3.29.10 by normalizing the email value that is sent to the sign-in endpoint before accessing it anywhere else.

“We also added a normalizeIdentifier callback on the EmailProvider configuration, where you can further tweak your requirements for what your system considers a valid email address,” wrote the maintainers.

A detailed workaround is also available for any users who cannot patch, however updating to the latest version is recommended.

Source: https://portswigger.net/daily-swig/authentication-bypass-bug-in-nextauth-js-could-allow-email-account-takeover