Skip to content
This repository has been archived by the owner on Apr 5, 2024. It is now read-only.

fix(deps): update dependency next-auth to v4.10.3 [security] #82

Merged
merged 1 commit into from
Aug 17, 2022
Merged

fix(deps): update dependency next-auth to v4.10.3 [security] #82

merged 1 commit into from
Aug 17, 2022

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Jul 6, 2022
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
next-auth (source) 4.10.2 -> 4.10.3 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2022-35924

Impact

next-auth users who are using the EmailProvider either in versions before 4.10.3 or 3.29.10 are affected.

If an attacker could forge a request that sent a comma-separated list of emails (eg.: attacker@attacker.com,victim@victim.com) to the sign-in endpoint, NextAuth.js would send emails to both the attacker and the victim's e-mail addresses. The attacker could then login as a newly created user with the email being attacker@attacker.com,victim@victim.com. This means that basic authorization like email.endsWith("@​victim.com") in the signIn callback would fail to communicate a threat to the developer and would let the attacker bypass authorization, even with an @attacker.com address.

Patches

We patched this vulnerability in v4.10.3 and v3.29.10 by normalizing the email value that is sent to the sign-in endpoint before accessing it anywhere else. We also added a normalizeIdentifier callback on the EmailProvider configuration, where you can further tweak your requirements for what your system considers a valid e-mail address. (E.g.: strict RFC2821 compliance)

To upgrade, run one of the following:

npm i next-auth@latest
yarn add next-auth@latest
pnpm add next-auth@latest

(This will update to the latest v4 version, but you can change latest to 3 if you want to stay on v3. This is not recommended. v3 is unmaintained.)

Workarounds

If for some reason you cannot upgrade, you can normalize the incoming request like the following, using Advanced Initialization:

// pages/api/auth/[...nextauth].ts

function normalize(identifier) {
  // Get the first two elements only,
  // separated by `@` from user input.
  let [local, domain] = identifier.toLowerCase().trim().split("@​")
  // The part before "@​" can contain a ","
  // but we remove it on the domain part
  domain = domain.split(",")[0]
  return `${local}@​${domain}`
}

export default async function handler(req, res) {
  if (req.body.email) req.body.email = normalize(req.body.email)
  return await NextAuth(req, res, {/* your options */ })
}

References

For more information

If you have any concerns, we request responsible disclosure, outlined here: https://next-auth.js.org/security#reporting-a-vulnerability

Timeline

The issue was reported 26th of July, a response was sent out in less than 1 hour and after identifying the issue a patch was published within 5 working days.

Acknowledgments

We would like to thank Socket for disclosing this vulnerability in a responsible manner and following up until it got published.

Release Notes

nextauthjs/next-auth

v4.10.3

Compare Source

Bugfixes
  • providers: add normalizeIdentifier to EmailProvider (afb1fcd)
  • ts: fix jsdoc link to documentation (#​5039) (a21db89)
  • avoid redirect on always public paths (#​5000)

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Paris, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled due to failing status checks.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, click this checkbox.

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot added the dependencies Pull requests that update a dependency file label Jul 6, 2022
@renovate renovate bot mentioned this pull request Jul 6, 2022
Merged
@renovate renovate bot force-pushed the renovate/npm-next-auth-vulnerability branch from 1e9add3 to eded4dd Compare August 2, 2022 20:23
@renovate renovate bot changed the title fix(deps): update dependency next-auth to v4.9.0 [security] fix(deps): update dependency next-auth to v4.10.3 [security] Aug 2, 2022
@renovate renovate bot force-pushed the renovate/npm-next-auth-vulnerability branch 4 times, most recently from 6414329 to 5ec2fd0 Compare August 16, 2022 15:50
@github-actions
Copy link

🎉 Deployment for commit 5ec2fd0 :

Ingresses
Docker images
  • 📦 docker pull harbor.fabrique.social.gouv.fr/fabrique/template/app:sha-5ec2fd0d09e0736833c7e6181bbd12d8540342be
  • 📦 docker pull harbor.fabrique.social.gouv.fr/fabrique/template/hasura:sha-5ec2fd0d09e0736833c7e6181bbd12d8540342be
Debug

@renovate renovate bot force-pushed the renovate/npm-next-auth-vulnerability branch from 5ec2fd0 to 428e767 Compare August 16, 2022 23:22
@renovate renovate bot force-pushed the renovate/npm-next-auth-vulnerability branch from 428e767 to 23351b4 Compare August 17, 2022 00:17
@sonarcloud
Copy link

sonarcloud bot commented Aug 17, 2022

Kudos, SonarCloud Quality Gate passed!    Quality Gate passed

Bug A 0 Bugs
Vulnerability A 0 Vulnerabilities
Security Hotspot A 0 Security Hotspots
Code Smell A 0 Code Smells

No Coverage information No Coverage information
0.0% 0.0% Duplication

@revolunet revolunet merged commit 74c291f into main Aug 17, 2022
@renovate renovate bot deleted the renovate/npm-next-auth-vulnerability branch August 17, 2022 09:48
@renovate renovate bot mentioned this pull request Feb 23, 2024
Open
1 task
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@revolunet