Skip to content
This repository has been archived by the owner on Dec 19, 2022. It is now read-only.

fix(deps): update dependency next-auth to v4.10.3 [security] #70

Closed
wants to merge 1 commit into from
Closed

fix(deps): update dependency next-auth to v4.10.3 [security] #70

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Sep 25, 2022

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
next-auth (source) 4.9.0 -> 4.10.3 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2022-35924

Impact

next-auth users who are using the EmailProvider either in versions before 4.10.3 or 3.29.10 are affected.

If an attacker could forge a request that sent a comma-separated list of emails (eg.: attacker@attacker.com,victim@victim.com) to the sign-in endpoint, NextAuth.js would send emails to both the attacker and the victim's e-mail addresses. The attacker could then login as a newly created user with the email being attacker@attacker.com,victim@victim.com. This means that basic authorization like email.endsWith("@​victim.com") in the signIn callback would fail to communicate a threat to the developer and would let the attacker bypass authorization, even with an @attacker.com address.

Patches

We patched this vulnerability in v4.10.3 and v3.29.10 by normalizing the email value that is sent to the sign-in endpoint before accessing it anywhere else. We also added a normalizeIdentifier callback on the EmailProvider configuration, where you can further tweak your requirements for what your system considers a valid e-mail address. (E.g.: strict RFC2821 compliance)

To upgrade, run one of the following:

npm i next-auth@latest
yarn add next-auth@latest
pnpm add next-auth@latest

(This will update to the latest v4 version, but you can change latest to 3 if you want to stay on v3. This is not recommended. v3 is unmaintained.)

Workarounds

If for some reason you cannot upgrade, you can normalize the incoming request like the following, using Advanced Initialization:

// pages/api/auth/[...nextauth].ts

function normalize(identifier) {
  // Get the first two elements only,
  // separated by `@` from user input.
  let [local, domain] = identifier.toLowerCase().trim().split("@​")
  // The part before "@​" can contain a ","
  // but we remove it on the domain part
  domain = domain.split(",")[0]
  return `${local}@​${domain}`
}

export default async function handler(req, res) {
  if (req.body.email) req.body.email = normalize(req.body.email)
  return await NextAuth(req, res, {/* your options */ })
}

References

For more information

If you have any concerns, we request responsible disclosure, outlined here: https://next-auth.js.org/security#reporting-a-vulnerability

Timeline

The issue was reported 26th of July, a response was sent out in less than 1 hour and after identifying the issue a patch was published within 5 working days.

Acknowledgments

We would like to thank Socket for disclosing this vulnerability in a responsible manner and following up until it got published.

CVE-2022-31186

Impact

An information disclosure vulnerability in next-auth before v4.10.2 and v3.29.9 allows an attacker with log access privilege to obtain excessive information such as an identity provider's secret in the log (which is thrown during OAuth error handling) and use it to leverage further attacks on the system, like impersonating the client to ask for extensive permissions.

Patches

We patched this vulnerability in v4.10.2 and v3.29.9 by moving the log for provider information to the debug level. In addition, we added a warning for having the debug: true option turned on in production and documented it here.

You have enabled the debug option. It is meant for development only, to help you catch issues in your authentication flow and you should consider removing this option when deploying to production. One way of only allowing debugging while not in production is to set debug: process.env.NODE_ENV !== "production", so you can commit this without needing to change the value.

If you want to log debug messages during production anyway, we recommend setting the logger option with proper sanitization of potentially sensitive user information.

To upgrade:

npm i next-auth@latest

# or
yarn add next-auth@latest

# or
pnpm add next-auth@latest

(This will update to the latest v4 version, but you can change latest to 3 if you want to stay on v3. This is not recommended. v3 is unmaintained.)

Workarounds

If for some reason you cannot upgrade, you can user the logger configuration option by sanitizing the logs:

// Example
import log from "your-logging-service"
export const authOptions: NextAuthOptions = {
  debug: process.env.NODE_ENV !== "production",
  logger: {
    error: (code, metadata) => {
      if (!(metadata instanceof Error) &&  metadata.provider) {
        // redact the provider secret here
        delete metadata.provider
        log.error(code, metadata)
      } else {
        log.error(code, metadata)
      }
    }
  },
}

References

Related documentation:

For more information

If you have any concerns, we request responsible disclosure, outlined here: https://next-auth.js.org/security#reporting-a-vulnerability

Timeline

The issue was reported 18th of July, a response was sent out in less than 20 minutes and after identifying the issue a patch was published within a week.

Release Notes

nextauthjs/next-auth

v4.10.3

Compare Source

Bugfixes

  • providers: add normalizeIdentifier to EmailProvider (afb1fcd)
  • ts: fix jsdoc link to documentation (#​5039) (a21db89)
  • avoid redirect on always public paths (#​5000)

v4.10.2

Compare Source

Bugfixes

v4.10.1

Compare Source

Bugfixes

Other

  • ts: explicitly set next path in next-auth (fb60554)
  • revert type assertion
  • add Thang to contributor (#​4944)
  • add TODO comment for next major version

v4.10.0

Compare Source

Features

Bugfixes

Other

  • providers: convert GitHub provider to TypeScript (#​4908) (3666e43)
  • update Next.js example, bump dependencies

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, click this checkbox.

This PR has been generated by Mend Renovate. View repository job log here.

@vercel
Copy link

vercel bot commented Sep 25, 2022
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Updated
student-dashboard-nextjs ✅ Ready (Inspect) Visit Preview Sep 25, 2022 at 2:39PM (UTC)

@netlify
Copy link

netlify bot commented Sep 25, 2022
edited
Loading

Deploy Preview for student-dashboard-nextjs ready!

Name Link
🔨 Latest commit 7ea7464
🔍 Latest deploy log https://app.netlify.com/sites/student-dashboard-nextjs/deploys/633067be5ff1820009a8b4d0
😎 Deploy Preview https://deploy-preview-70--student-dashboard-nextjs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify site settings.

@DuckyMomo20012 DuckyMomo20012 deleted the renovate/npm-next-auth-vulnerability branch September 29, 2022 00:59
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@DuckyMomo20012