N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-5jpx-9hw9-2fx4

EPSS Score

CWE

CWE-200

Published

10/29/2025

Updated

10/29/2025

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-5jpx-9hw9-2fx4

GHSA-5jpx-9hw9-2fx4: NextAuthjs Email misdelivery Vulnerability

Summary

NextAuth.js's email sign-in can be forced to deliver authentication emails to an attacker-controlled mailbox due to a bug in nodemailer's address parser used by the project (fixed in nodemailer v7.0.7). A crafted input such as:

"e@attacker.com"@victim.com

is parsed incorrectly and results in the message being delivered to e@attacker.com (attacker) instead of "<e@attacker.com>@victim.com" (the intended recipient at victim.com) in violation of RFC 5321/5322 semantics. This allows an attacker to receive login/verification links or other sensitive emails intended for the victim.

<h2>Affected NextAuthjs Version</h2>

≤ Version | Afftected -- | -- 4.24.11 | Yes 5.0.0-beta.29 | Yes

POC

Example Setup showing misdelivery of email

import NextAuth from "next-auth"
import Nodemailer from "next-auth/providers/nodemailer"
import { PrismaAdapter } from "@auth/prisma-adapter"
import { prisma } from "@/lib/prisma"

export const { handlers, auth, signIn, signOut } = NextAuth({
  adapter: PrismaAdapter(prisma),
  providers: [
    Nodemailer({
      server: {
        host: "127.0.0.1",
        port: 1025,
        ...
      },
      from: "noreply@authjs.dev",
    }),
  ],
  pages: {
    signIn: '/auth/signin',
    verifyRequest: '/auth/verify-request',
  },
})

POST /api/auth/signin/nodemailer HTTP/1.1
Accept-Encoding: gzip, deflate, br, zstd
Cache-Control: no-cache
Connection: keep-alive
Content-Length: 176
DNT: 1
Host: localhost:3000
Origin: http://localhost:3000
Pragma: no-cache
Referer: http://localhost:3000/auth/signin
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
accept: */*
accept-language: en-US,en;q=0.9,ta;q=0.8
content-type: application/x-www-form-urlencoded
sec-ch-ua: "Google Chrome";v="141", "Not?A_Brand";v="8", "Chromium";v="141"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
x-auth-return-redirect: 1

email=%22e%40attacker.coccm%22%40victim.com&csrfToken=90f5e6f48ab577ab011f212011862dcfe546459c23764cf891aab2d176f8d77a&callbackUrl=http%3A%2F%2Flocalhost%3A3000%2Fauth%2Fsignin

Mitigation

Update to nodemailer 7.0.7

Credits

https://zeropath.com/ Helped identify this security issue

(GitHub Advisory)

N/A

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-5jpx-9hw9-2fx4

EPSS Score

CWE

CWE-200

Published

10/29/2025

Updated

10/29/2025

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
next-auth	npm	< 4.24.12	4.24.12
next-auth	npm	>= 5.0.0-beta.0, < 5.0.0-beta.30	5.0.0-beta.30

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists in how the next-auth library handles email addresses for authentication, specifically due to a parsing flaw in its dependency, nodemailer (versions prior to 7.0.7). An attacker could craft a malicious email address string such as "e@attacker.com"@victim.com. The vulnerable code in next-auth would fail to properly sanitize this input before passing it to nodemailer. The vulnerable version of nodemailer would then incorrectly parse this string, leading to the authentication email being sent to the attacker's address (e@attacker.com) instead of the legitimate user's domain (victim.com).

The analysis of the patches reveals two key locations where this vulnerability is addressed. The first is within the signin function in packages/next-auth/src/core/routes/signin.ts. The second is within the defaultNormalizer function, which is called by the sendToken function in packages/core/src/lib/actions/signin/send-token.ts. In both cases, the patches introduce stricter validation for email addresses, specifically checking for and rejecting formats that include quotes or multiple '@' symbols, which are characteristic of this exploit. The patches also update the nodemailer dependency to a non-vulnerable version as the primary mitigation. Therefore, the signin and sendToken (along with its internal defaultNormalizer) functions are the vulnerable functions that would appear in a runtime profile during an exploit attempt.

Vulnerable functions

signin

packages/next-auth/src/core/routes/signin.ts

The `signin` function in `packages/next-auth/src/core/routes/signin.ts` is vulnerable because it uses a flawed email normalization logic that can be exploited. The original code, `let [local, domain] = identifier.toLowerCase().trim().split("@")`, improperly parses crafted email addresses like `"e@attacker.com"@victim.com`. This allows an attacker to have authentication emails misdelivered to an email address they control. The patch adds validation to reject such formats.

sendToken

packages/core/src/lib/actions/signin/send-token.ts

The `sendToken` function utilizes an internal `defaultNormalizer` function to process email addresses before sending a verification token. The original implementation of `defaultNormalizer` was vulnerable to the same email parsing flaw as the `signin` function, using `email.toLowerCase().trim().split("@")` to parse the address. This could be exploited to redirect verification emails. The `sendToken` function is the entry point for this vulnerable logic.

defaultNormalizer

packages/core/src/lib/actions/signin/send-token.ts

This function, used within `sendToken`, contains the vulnerable email parsing logic. It takes an email string and splits it at the "@" symbol without properly validating the format. This allows an attacker to craft an input like `"e@attacker.com"@victim.com`, causing the underlying `nodemailer` library to misinterpret the recipient's address and send the email to the attacker. The patch introduces checks to prevent this.

WAF Protection Rules

WAF Rule

### Summ*ry N*xt*ut*.js's *m*il si*n-in **n ** *or*** to **liv*r *ut**nti**tion *m*ils to *n *tt**k*r-*ontroll** m*il*ox *u* to * *u* in `no**m*il*r`'s ***r*ss p*rs*r us** *y t** proj**t (*ix** in `no**m*il*r` **v*.*.***). * *r**t** input su** *s:

Reasoning

T** vuln*r**ility *xists in *ow t** `n*xt-*ut*` li*r*ry **n*l*s *m*il ***r*ss*s *or *ut**nti**tion, sp**i*i**lly *u* to * p*rsin* *l*w in its **p*n**n*y, `no**m*il*r` (v*rsions prior to *.*.*). *n *tt**k*r *oul* *r**t * m*li*ious *m*il ***r*ss strin*

N/A

Basic Information

Concerned about an active attack path?

GHSA-5jpx-9hw9-2fx4: NextAuthjs Email misdelivery Vulnerability

Summary

POC

Mitigation

Credits

N/A

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI