cvedb.io
CVE-2022-35924
CRITICAL · CVSS 9.1
EPSS exploitation probability: 0%
Published 2022-08-02T18:15:08.893 · Last modified 2026-06-17T04:52:31.980

Summary

NextAuth.js is a complete open source authentication solution for Next.js applications. `next-auth` users who are using the `EmailProvider` either in versions before `4.10.3` or `3.29.10` are affected. If an attacker could forge a request that sent a comma-separated list of emails (eg.: `[email protected],[email protected]`) to the sign-in endpoint, NextAuth.js would send emails to both the attacker and the victim's e-mail addresses. The attacker could then login as a newly created user with the email being `[email protected],[email protected]`. This means that basic authorization like `email.endsWith("@victim.com")` in the `signIn` callback would fail to communicate a threat to the developer and would let the attacker bypass authorization, even with an `@attacker.com` address. Thi

Affected products

nextauth.js — next-auth

Does this affect you?

Add your gear to cvedb and we'll alert you only when nextauth.js ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.