CVE-2022-31127 is a cross-site scripting (XSS) vulnerability classified under CWE-79 that affects NextAuth.js, an open-source authentication library widely used in Next.js applications. The vulnerability arises from improper neutralization of user input during web page generation, specifically in the email signin endpoint. An attacker can craft a malicious input containing HTML code and inject it into the email parameter sent to the signin endpoint. This malicious input is then included in the HTML content of the verification email sent to the user. For example, an attacker could submit an email value such as `balazs@email.com, <a href=\"http://attacker.com\">Before signing in, claim your money!</a>`. When the email server sends the verification email, the malicious HTML is rendered, potentially tricking the recipient into clicking on attacker-controlled links, facilitating phishing attacks or other social engineering exploits. The vulnerability affects NextAuth.js versions prior to 3.29.8 in the v3 branch and versions from 4.0.0 up to but not including 4.9.0 in the v4 branch. The issue has been addressed by removing the rendering of the email parameter in the HTML content of the verification email. Users who cannot upgrade are advised to sanitize the email parameter in any custom implementations of the sendVerificationRequest function to prevent injection of malicious HTML. This vulnerability does not require authentication or user interaction to be exploited, but the attack relies on the victim receiving and interacting with the phishing email. No known exploits have been reported in the wild as of the publication date. The vulnerability primarily impacts the confidentiality and integrity of users by enabling phishing attacks that could lead to credential theft or further compromise.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on NextAuth.js for user authentication in web applications. Successful exploitation can lead to phishing attacks that compromise user credentials, potentially resulting in unauthorized access to sensitive systems and data. This can undermine user trust, lead to data breaches, and cause reputational damage. Organizations in sectors with strict data protection regulations, such as finance, healthcare, and government, may face legal and compliance repercussions under GDPR if user data is compromised. Additionally, phishing attacks can serve as a vector for further malware deployment or lateral movement within networks. Since NextAuth.js is popular among developers building modern web applications, the scope of affected systems can be broad, impacting both small and large enterprises. The vulnerability does not directly affect system availability but can indirectly cause service disruptions if exploited at scale or if remediation requires downtime.

The primary mitigation is to upgrade NextAuth.js to version 3.29.8 or later in the v3 branch, or to version 4.9.0 or later in the v4 branch, where the vulnerability has been fixed by removing the rendering of the email parameter in the verification email HTML. For organizations unable to upgrade immediately, it is critical to sanitize the email parameter passed to the sendVerificationRequest function to strip or encode any HTML or script content before rendering. If a custom sendVerificationRequest implementation exists, review and modify it to exclude the email parameter from the HTML body or apply robust input sanitization libraries that neutralize XSS payloads. Additionally, organizations should implement email security best practices such as DMARC, DKIM, and SPF to reduce the risk of phishing emails being delivered or trusted. User awareness training focused on recognizing phishing attempts can further reduce the risk of successful exploitation. Monitoring email logs and application logs for unusual or malformed email parameters can help detect attempted exploitation. Finally, applying Content Security Policy (CSP) headers in web applications can mitigate the impact of XSS attacks by restricting the execution of unauthorized scripts.