GHSA-5jpx-9hw9-2fx4: 
JavaScript vulnerability analysis and mitigation

NextAuth.js's email sign-in functionality contains a vulnerability (GHSA-5jpx-9hw9-2fx4) that affects versions <4.24.12 and <5.0.0-beta.30. The vulnerability was discovered and disclosed in October 2025, impacting the npm package next-auth. This security issue stems from a bug in nodemailer's address parser that allows authentication emails to be misdirected to attacker-controlled mailboxes (GitHub Advisory).

The vulnerability exploits a parsing flaw in nodemailer where specially crafted email addresses like '"e@attacker.com"@victim.com' are incorrectly processed. Instead of delivering to the intended recipient at victim.com, the system sends the email to e@attacker.com. This behavior violates RFC 5321/5322 semantics. The vulnerability has been assigned a CVSS v4 score of 6.9 (Moderate severity), with metrics indicating Network attack vector, Low attack complexity, and High confidentiality impact (GitHub Advisory).

When exploited, this vulnerability allows attackers to intercept sensitive emails intended for legitimate users, including login and verification links. This represents a significant security risk as it could lead to unauthorized access to user accounts and exposure of sensitive information. The vulnerability is classified under CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) (GitHub Advisory).

The recommended mitigation is to update to the patched versions: 4.24.12 or 5.0.0-beta.30, which incorporate nodemailer version 7.0.7 that fixes the address parsing vulnerability. These updates have been released to address the security issue directly (GitHub Advisory).