CVE-2022-35924: 
JavaScript vulnerability analysis and mitigation

NextAuth.js authentication bypass vulnerability (CVE-2022-35924) was discovered on July 26, 2022, affecting users of the EmailProvider in versions before 4.10.3 and 3.29.10. The vulnerability allowed attackers to bypass authentication controls by manipulating email addresses in sign-in requests. NextAuth.js is an open-source authentication solution designed for Next.js applications (Security Online, GitHub Advisory).

The vulnerability had a CVSS score of 9.1 (Critical). The issue occurred when an attacker could forge a request containing a comma-separated list of emails (e.g., attacker@attacker.com,victim@victim.com) to the sign-in endpoint. NextAuth.js would then send emails to both addresses, allowing the attacker to login as a newly created user with the combined email address. This bypassed basic authorization checks like email.endsWith('@victim.com') in the signIn callback, even with an @attacker.com address (GitHub Advisory).

The vulnerability allowed attackers to bypass authentication controls and gain unauthorized access to systems using NextAuth.js for email-based authentication. This could potentially lead to account takeover and unauthorized access to protected resources. The issue affected organizations using email-based authentication with NextAuth.js's EmailProvider (Security Online).

The vulnerability was patched in versions v4.10.3 and v3.29.10 by normalizing the email value sent to the sign-in endpoint before processing it. The fix included adding a normalizeIdentifier callback on the EmailProvider configuration for customizing email address validation requirements. Users were advised to upgrade to the patched versions immediately. For those unable to upgrade, a workaround was provided using Advanced Initialization to normalize incoming requests (GitHub Advisory).