Skip to content

Deps: Update dependency next-auth to v5.0.0-beta.30[SECURITY] #1838

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
renovate wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Deps: Update dependency next-auth to v5.0.0-beta.30[SECURITY] #1838

renovate wants to merge 1 commit into from
+23 −50

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Oct 29, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
next-auth (source) 5.0.0-beta.255.0.0-beta.30 age confidence

GitHub Vulnerability Alerts

GHSA-5jpx-9hw9-2fx4

Summary

NextAuth.js's email sign-in can be forced to deliver authentication emails to an attacker-controlled mailbox due to a bug in nodemailer's address parser used by the project (fixed in nodemailer v7.0.7). A crafted input such as:

"e@attacker.com"@​victim.com

is parsed incorrectly and results in the message being delivered to e@attacker.com (attacker) instead of "<e@attacker.com>@&#8203;victim.com" (the intended recipient at victim.com) in violation of RFC 5321/5322 semantics. This allows an attacker to receive login/verification links or other sensitive emails intended for the victim.

Affected NextAuthjs Version

≤ Version Afftected
4.24.11 Yes
5.0.0-beta.29 Yes

POC

Example Setup showing misdelivery of email

import NextAuth from "next-auth"
import Nodemailer from "next-auth/providers/nodemailer"
import { PrismaAdapter } from "@&#8203;auth/prisma-adapter"
import { prisma } from "@&#8203;/lib/prisma"

export const { handlers, auth, signIn, signOut } = NextAuth({
  adapter: PrismaAdapter(prisma),
  providers: [
    Nodemailer({
      server: {
        host: "127.0.0.1",
        port: 1025,
        ...
      },
      from: "noreply@authjs.dev",
    }),
  ],
  pages: {
    signIn: '/auth/signin',
    verifyRequest: '/auth/verify-request',
  },
})
POST /api/auth/signin/nodemailer HTTP/1.1
Accept-Encoding: gzip, deflate, br, zstd
Cache-Control: no-cache
Connection: keep-alive
Content-Length: 176
DNT: 1
Host: localhost:3000
Origin: http://localhost:3000
Pragma: no-cache
Referer: http://localhost:3000/auth/signin
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
accept: */*
accept-language: en-US,en;q=0.9,ta;q=0.8
content-type: application/x-www-form-urlencoded
sec-ch-ua: "Google Chrome";v="141", "Not?A_Brand";v="8", "Chromium";v="141"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
x-auth-return-redirect: 1

email=%22e%40attacker.coccm%22%40victim.com&csrfToken=90f5e6f48ab577ab011f212011862dcfe546459c23764cf891aab2d176f8d77a&callbackUrl=http%3A%2F%2Flocalhost%3A3000%2Fauth%2Fsignin
Screenshot from 2025-10-25 21-15-25 Screenshot from 2025-10-25 21-14-47

Mitigation

Update to nodemailer 7.0.7

Credits

https://zeropath.com/ Helped identify this security issue

  • If you want to rebase/retry this PR, check this box

This PR has been generated on behalf of Nordcom AB by Renovate Bot.

@renovate renovate bot added the Dependency label Oct 29, 2025
@renovate renovate bot enabled auto-merge (rebase) October 29, 2025 19:09
@vercel
Copy link

vercel bot commented Oct 29, 2025
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Review Updated (UTC)
commerce-demo Error Error Jan 19, 2026 2:43pm
commerce-landing-demo Error Error Jan 19, 2026 2:43pm

@github-actions
Copy link

github-actions bot commented Oct 29, 2025
edited
Loading

Coverage Report

Status Category Percentage Covered / Total
🔵 Lines 16.77% 2864 / 17075
🔵 Statements 16.77% 2864 / 17075
🔵 Functions 51.19% 279 / 545
🔵 Branches 66.11% 677 / 1024
File CoverageNo changed files found.
Generated in workflow #10861 for commit 59dbb44 by the Vitest Coverage Report Action

@codecov
Copy link

codecov bot commented Oct 29, 2025
edited
Loading

❌ 2 Tests Failed:

Tests completed Failed Passed Skipped
182 2 180 20
View the top 2 failed test(s) by shortest run time 
apps/admin/src/utils/auth.adapter.test.ts > src/utils/auth.adapter.test.ts
Stack Traces | 0s run time 
Error: querySrv ENOTFOUND _mongodb._tcp.dummy-string
⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯⎯
Serialized Error: { errno: undefined, code: 'ENOTFOUND', syscall: 'querySrv', hostname: '_mongodb._tcp.dummy-string' }
apps/storefront/src/components/products/quantity-selector.test.tsx > components > QuantitySelector > updates the quantity when input value changes
Stack Traces | 1.04s run time 
AssertionError: expected "spy" to be called with arguments: [ 5 ]

Number of calls: 0


Ignored nodes: comments, script, style
<html>
  <head />
  <body>
    <div>
      <section
        class="flex min-h-fit w-full overflow-hidden rounded-lg border-2 border-solid border-white bg-white p-0 leading-none opacity-50 drop-shadow transition-colors *:appearance-none *:text-center *:text-lg *:leading-none *:transition-colors"
      >
        <button
          aria-disabled="true"
          aria-label="decrease"
          class="transition-color duration-150 pointer-events-none cursor-not-allowed shadow-none aspect-[3/4] h-full select-none appearance-none rounded-none bg-transparent p-2 font-bold text-current"
          data-nosnippet="true"
          data-quantity-decrease="true"
          data-testid="quantity-decrease"
          disabled=""
          draggable="false"
          title="decrease"
          type="button"
        >
          –
        </button>
        <input
          aria-disabled="true"
          aria-label="quantity"
          class="rounded-lg pointer-events-none cursor-not-allowed h-full w-full grow appearance-none border-none bg-transparent text-sm font-bold outline-none focus:outline-none focus:ring-0"
          data-nosnippet="true"
          data-quantity-input="true"
          data-testid="quantity-input"
          disabled=""
          draggable="false"
          max="199999"
          min="1"
          pattern="[0-9]"
          placeholder="quantity"
          step="1"
          title="quantity"
          type="number"
          value="0"
        />
        <button
          aria-disabled="true"
          aria-label="increase"
          class="transition-color duration-150 pointer-events-none cursor-not-allowed shadow-none aspect-[3/4] h-full select-none appearance-none rounded-none bg-transparent p-2 font-bold text-current"
          data-nosnippet="true"
          data-quantity-increase="true"
          data-testid="quantity-increase"
          disabled=""
          draggable="false"
          title="increase"
          type="button"
        >
          +
        </button>
      </section>
    </div>
  </body>
</html>
 ❯ .../components/products/quantity-selector.test.tsx:27:36
 ❯ runWithExpensiveErrorDiagnosticsDisabled ../../node_modules/.pnpm/@testing-library+dom@10.1.0/node_modules/@.../dom/dist/config.js:47:12
 ❯ checkCallback ../../node_modules/.pnpm/@testing-library+dom@10.1.0/node_modules/@.../dom/dist/wait-for.js:124:77
 ❯ checkRealTimersCallback ../../node_modules/.pnpm/@testing-library+dom@10.1.0/node_modules/@.../dom/dist/wait-for.js:118:16
 ❯ Timeout.<anonymous> ../../node_modules/.pnpm/happy-dom@17.4..../src/window/BrowserWindow.ts:1431:16

To view more test analytics, go to the Test Analytics Dashboard
📋 Got 3 mins? Take this short survey to help us improve Test Analytics.

@renovate renovate bot force-pushed the deps/bot-npm-next-auth-vulnerability branch from 97357be to 8e4d791 Compare November 18, 2025 12:46
@renovate renovate bot force-pushed the deps/bot-npm-next-auth-vulnerability branch from 8e4d791 to b091a93 Compare December 3, 2025 18:09
@renovate renovate bot force-pushed the deps/bot-npm-next-auth-vulnerability branch from b091a93 to 59dbb44 Compare January 19, 2026 14:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Dependency

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant