Login Sign Up

CVE-2022-31127

7.1 HIGH
Cross-Site Scripting Authentication Bypass

📋 TL;DR

NextAuth.js email authentication vulnerability allows attackers to inject malicious HTML into sign-in emails, enabling phishing attacks. This affects NextAuth.js v3 before 3.29.8 and v4 before 4.9.0. Attackers can trick users into clicking malicious links by exploiting the email parameter in verification emails.

💻 Affected Systems

Products:
  • NextAuth.js
Versions: v3 before 3.29.8, v4 before 4.9.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects applications using NextAuth.js email provider with default or custom sendVerificationRequest that renders email parameter in HTML.

📦 What is this software?

Next Auth by Nextauth.js

View all CVEs affecting Next Auth →

Next Auth by Nextauth.js

View all CVEs affecting Next Auth →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Successful phishing campaign leading to credential theft, account compromise, or malware installation on user systems.

🟠

Likely Case

Phishing emails sent to users with malicious links, potentially compromising individual accounts.

🟢

If Mitigated

No impact if email parameter is properly sanitized or excluded from HTML rendering.

🌐 Internet-Facing: HIGH - Authentication endpoints are typically internet-facing and directly accessible.
🏢 Internal Only: LOW - This vulnerability specifically targets external email delivery to users.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit requires sending malicious email parameter to signin endpoint, which is straightforward and documented in the advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v3.29.8+ or v4.9.0+

Vendor Advisory: https://github.com/nextauthjs/next-auth/security/advisories/GHSA-pgjx-7f9g-9463

Restart Required: Yes

Instructions:

1. Update NextAuth.js: npm update next-auth or yarn upgrade next-auth. 2. For v3 users, upgrade to v3.29.8+. 3. For v4 users, upgrade to v4.9.0+. 4. Restart your Next.js application.

🔧 Temporary Workarounds

Sanitize email parameter in custom sendVerificationRequest

all

Manually sanitize or exclude the email parameter from HTML rendering in custom email implementations.

// In your sendVerificationRequest function, sanitize email parameter or remove from HTML body

🧯 If You Can't Patch

  • Implement input validation to reject email addresses containing HTML tags
  • Disable email provider authentication until patching is possible

🔍 How to Verify

Check if Vulnerable:

Check package.json for NextAuth.js version: if v3 < 3.29.8 or v4 < 4.9.0, you are vulnerable.

Check Version:

npm list next-auth or yarn list next-auth

Verify Fix Applied:

Verify NextAuth.js version is v3.29.8+ or v4.9.0+ in package.json and test email sign-in with HTML-containing email parameter.

📡 Detection & Monitoring

Log Indicators:

  • Unusual email parameter values containing HTML tags in authentication logs
  • Multiple failed sign-in attempts with unusual email formats

Network Indicators:

  • POST requests to /api/auth/signin/email with email parameter containing HTML tags

SIEM Query:

source="nextauth" AND (email="*<*" OR email="*>*")

📊 Metadata

CVE ID: CVE-2022-31127
CVSS v3 Score: 7.1 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
CWE: CWE-79
Published: July 6, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-31127, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)