CVE-2022-35924: CWE-20: Improper Input Validation in nextauthjs next-auth
NextAuth.js is a complete open source authentication solution for Next.js applications. `next-auth` users who are using the `EmailProvider` either in versions before `4.10.3` or `3.29.10` are affected. If an attacker could forge a request that sent a comma-separated list of emails (eg.: `attacker@attacker.com,victim@victim.com`) to the sign-in endpoint, NextAuth.js would send emails to both the attacker and the victim's e-mail addresses. The attacker could then login as a newly created user with the email being `attacker@attacker.com,victim@victim.com`. This means that basic authorization like `email.endsWith("@victim.com")` in the `signIn` callback would fail to communicate a threat to the developer and would let the attacker bypass authorization, even with an `@attacker.com` address. This vulnerability has been patched in `v4.10.3` and `v3.29.10` by normalizing the email value that is sent to the sign-in endpoint before accessing it anywhere else. We also added a `normalizeIdentifier` callback on the `EmailProvider` configuration, where you can further tweak your requirements for what your system considers a valid e-mail address. (E.g.: strict RFC2821 compliance). Users are advised to upgrade. There are no known workarounds for this vulnerability. If for some reason you cannot upgrade, you can normalize the incoming request using Advanced Initialization.
AI Analysis
Technical Summary
CVE-2022-35924 is a medium-severity vulnerability affecting NextAuth.js, an open-source authentication library widely used in Next.js applications. The flaw exists in the EmailProvider component of next-auth versions prior to 4.10.3 and 3.29.10. The vulnerability arises from improper input validation (CWE-20) of the email parameter during the sign-in process. Specifically, an attacker can craft a sign-in request containing a comma-separated list of email addresses (e.g., "attacker@attacker.com,victim@victim.com"). Due to the lack of normalization, NextAuth.js processes this input as a single email string, sending sign-in emails to both addresses. This behavior allows the attacker to create a user session with a compound email string that bypasses authorization checks relying on simple string matching, such as verifying if the email ends with a trusted domain (e.g., "@victim.com"). Consequently, authorization logic that assumes a single, normalized email address can be circumvented, enabling unauthorized access. The vulnerability was patched by normalizing the email input before further processing and by introducing a "normalizeIdentifier" callback in the EmailProvider configuration to enforce stricter email validation rules. No known exploits are reported in the wild, and no effective workarounds exist other than upgrading or implementing advanced request normalization during initialization.
Potential Impact
For European organizations using NextAuth.js with the vulnerable versions, this flaw can lead to unauthorized user access by bypassing email-based authorization controls. This could compromise the confidentiality and integrity of user accounts and sensitive data, especially in applications relying solely on email domain checks for authorization. Attackers could impersonate users from trusted domains or escalate privileges by exploiting this input validation weakness. The impact is particularly critical for sectors handling sensitive personal data, such as finance, healthcare, and government services, where unauthorized access could lead to data breaches, regulatory non-compliance (e.g., GDPR violations), and reputational damage. Although availability impact is limited, the breach of authentication integrity undermines trust in affected services. Since exploitation does not require authentication or user interaction beyond sending a crafted sign-in request, the attack surface is broad, increasing risk exposure.
Mitigation Recommendations
The primary mitigation is to upgrade NextAuth.js to versions 4.10.3 or later, or 3.29.10 or later, where the vulnerability is patched. For organizations unable to upgrade immediately, implement strict input normalization on the sign-in endpoint to reject or sanitize comma-separated email lists before processing. Utilize the newly introduced "normalizeIdentifier" callback in the EmailProvider configuration to enforce strict RFC2821-compliant email validation, preventing malformed or compound email inputs. Review and strengthen authorization logic to avoid simplistic string matching on email addresses; instead, parse and validate emails explicitly. Conduct thorough code audits to identify any assumptions about email format in authentication and authorization workflows. Monitor authentication logs for unusual sign-in attempts containing multiple emails or malformed addresses. Additionally, consider implementing multi-factor authentication (MFA) to reduce the risk of unauthorized access even if email validation is bypassed.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Italy, Spain, Poland
CVE-2022-35924: CWE-20: Improper Input Validation in nextauthjs next-auth
Description
NextAuth.js is a complete open source authentication solution for Next.js applications. `next-auth` users who are using the `EmailProvider` either in versions before `4.10.3` or `3.29.10` are affected. If an attacker could forge a request that sent a comma-separated list of emails (eg.: `attacker@attacker.com,victim@victim.com`) to the sign-in endpoint, NextAuth.js would send emails to both the attacker and the victim's e-mail addresses. The attacker could then login as a newly created user with the email being `attacker@attacker.com,victim@victim.com`. This means that basic authorization like `email.endsWith("@victim.com")` in the `signIn` callback would fail to communicate a threat to the developer and would let the attacker bypass authorization, even with an `@attacker.com` address. This vulnerability has been patched in `v4.10.3` and `v3.29.10` by normalizing the email value that is sent to the sign-in endpoint before accessing it anywhere else. We also added a `normalizeIdentifier` callback on the `EmailProvider` configuration, where you can further tweak your requirements for what your system considers a valid e-mail address. (E.g.: strict RFC2821 compliance). Users are advised to upgrade. There are no known workarounds for this vulnerability. If for some reason you cannot upgrade, you can normalize the incoming request using Advanced Initialization.
AI-Powered Analysis
Technical Analysis
CVE-2022-35924 is a medium-severity vulnerability affecting NextAuth.js, an open-source authentication library widely used in Next.js applications. The flaw exists in the EmailProvider component of next-auth versions prior to 4.10.3 and 3.29.10. The vulnerability arises from improper input validation (CWE-20) of the email parameter during the sign-in process. Specifically, an attacker can craft a sign-in request containing a comma-separated list of email addresses (e.g., "attacker@attacker.com,victim@victim.com"). Due to the lack of normalization, NextAuth.js processes this input as a single email string, sending sign-in emails to both addresses. This behavior allows the attacker to create a user session with a compound email string that bypasses authorization checks relying on simple string matching, such as verifying if the email ends with a trusted domain (e.g., "@victim.com"). Consequently, authorization logic that assumes a single, normalized email address can be circumvented, enabling unauthorized access. The vulnerability was patched by normalizing the email input before further processing and by introducing a "normalizeIdentifier" callback in the EmailProvider configuration to enforce stricter email validation rules. No known exploits are reported in the wild, and no effective workarounds exist other than upgrading or implementing advanced request normalization during initialization.
Potential Impact
For European organizations using NextAuth.js with the vulnerable versions, this flaw can lead to unauthorized user access by bypassing email-based authorization controls. This could compromise the confidentiality and integrity of user accounts and sensitive data, especially in applications relying solely on email domain checks for authorization. Attackers could impersonate users from trusted domains or escalate privileges by exploiting this input validation weakness. The impact is particularly critical for sectors handling sensitive personal data, such as finance, healthcare, and government services, where unauthorized access could lead to data breaches, regulatory non-compliance (e.g., GDPR violations), and reputational damage. Although availability impact is limited, the breach of authentication integrity undermines trust in affected services. Since exploitation does not require authentication or user interaction beyond sending a crafted sign-in request, the attack surface is broad, increasing risk exposure.
Mitigation Recommendations
The primary mitigation is to upgrade NextAuth.js to versions 4.10.3 or later, or 3.29.10 or later, where the vulnerability is patched. For organizations unable to upgrade immediately, implement strict input normalization on the sign-in endpoint to reject or sanitize comma-separated email lists before processing. Utilize the newly introduced "normalizeIdentifier" callback in the EmailProvider configuration to enforce strict RFC2821-compliant email validation, preventing malformed or compound email inputs. Review and strengthen authorization logic to avoid simplistic string matching on email addresses; instead, parse and validate emails explicitly. Conduct thorough code audits to identify any assumptions about email format in authentication and authorization workflows. Monitor authentication logs for unusual sign-in attempts containing multiple emails or malformed addresses. Additionally, consider implementing multi-factor authentication (MFA) to reduce the risk of unauthorized access even if email validation is bypassed.
Affected Countries
Technical Details
- Data Version
- 5.1
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2022-07-15T00:00:00.000Z
- Cisa Enriched
- true
Threat ID: 682d9844c4522896dcbf3a51
Added to database: 5/21/2025, 9:09:24 AM
Last enriched: 6/23/2025, 12:35:18 AM
Last updated: 2/3/2026, 1:21:44 PM
Views: 58
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-7760: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Ofisimo Web-Based Software Technologies Association Web Package Flora
HighCVE-2025-6397: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') in Ankara Hosting Website Design Website Software
HighHackers Leak 5.1 Million Panera Bread Records
MediumCVE-2026-1664: CWE-639 Authorization Bypass Through User-Controlled Key
MediumCVE-2025-11598: CWE-359 Exposure of Private Personal Information to an Unauthorized Actor in Centralny Ośrodek Informatyki mObywatel
LowActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.