Vulnerability has been patched in latest versions

Authentication bypass bug in Nextauth.js could allow email account takeover

A critical authentication bypass flaw in an NPM package could allow a malicious actor to take over a victim’s email account.

The vulnerability, which was rated a CVSS score of 9.1, was present in Nextauth.js, an open source authentication package for next.js applications.

Users of NPM package next-auth who are using the EmailProvider either in versions before 4.10.3 or 3.29.10 are affected by the bug, a security advisory warns.

Read more of the latest web security vulnerability news

If an attacker could forge a request that sent a comma-separated list of emails, for example,, to the sign-in endpoint, Nextauth.js would send emails to both the attacker and to the victim’s email addresses.

The attacker could then login as a newly created user with the email being,

Basic authorization such as email.endsWith("") in the signIn callback would fail to communicate a threat to the developer and would let the attacker bypass authorization, even with an address.


The vulnerability has been patched by maintainers in v4.10.3 and v3.29.10 by normalizing the email value that is sent to the sign-in endpoint before accessing it anywhere else.

“We also added a normalizeIdentifier callback on the EmailProvider configuration, where you can further tweak your requirements for what your system considers a valid email address,” wrote the maintainers.

A detailed workaround is also available for any users who cannot patch, however updating to the latest version is recommended.

YOU MAY ALSO LIKE Trio of XSS bugs in open source web apps could lead to complete system compromise