GHSA-5jpx-9hw9-2fx4: 
JavaScript vulnerability analysis and mitigation

NextAuth.js's email sign-in functionality was found to contain a vulnerability (GHSA-5jpx-9hw9-2fx4) that could allow authentication emails to be misdirected to attacker-controlled mailboxes. The vulnerability affects NextAuth.js versions up to 4.24.11 and 5.0.0-beta.29, and was discovered and disclosed in October 2025 (GitHub Advisory).

The vulnerability stems from a bug in nodemailer's address parser (versions prior to 7.0.7) used by NextAuth.js. When processing email addresses, the parser incorrectly handles specially crafted inputs containing multiple @ symbols. For example, an input like '"e@attacker.com"@victim.com' would be parsed incorrectly, resulting in the email being delivered to e@attacker.com instead of the intended recipient at victim.com, violating RFC 5321/5322 semantics. The vulnerability has been assigned a CVSS v4 score of 6.9 (Moderate severity) (GitHub Advisory).

The vulnerability allows attackers to intercept authentication emails intended for legitimate users. By exploiting this flaw, attackers can receive login verification links and other sensitive emails meant for victims, potentially leading to unauthorized account access (GitHub Advisory).

The primary mitigation is to update to patched versions of NextAuth.js (4.24.12 or 5.0.0-beta.30) and ensure nodemailer is updated to version 7.0.7 or later. The fix includes improved email address validation and parsing logic to prevent email misdelivery (GitHub Advisory, NextAuth Commit).