CVE-2022-35924 is a medium-severity vulnerability affecting NextAuth.js, an open-source authentication library widely used in Next.js applications. The flaw exists in the EmailProvider component of next-auth versions prior to 4.10.3 and 3.29.10. The vulnerability arises from improper input validation (CWE-20) of the email parameter during the sign-in process. Specifically, an attacker can craft a sign-in request containing a comma-separated list of email addresses (e.g., "attacker@attacker.com,victim@victim.com"). Due to the lack of normalization, NextAuth.js processes this input as a single email string, sending sign-in emails to both addresses. This behavior allows the attacker to create a user session with a compound email string that bypasses authorization checks relying on simple string matching, such as verifying if the email ends with a trusted domain (e.g., "@victim.com"). Consequently, authorization logic that assumes a single, normalized email address can be circumvented, enabling unauthorized access. The vulnerability was patched by normalizing the email input before further processing and by introducing a "normalizeIdentifier" callback in the EmailProvider configuration to enforce stricter email validation rules. No known exploits are reported in the wild, and no effective workarounds exist other than upgrading or implementing advanced request normalization during initialization.

For European organizations using NextAuth.js with the vulnerable versions, this flaw can lead to unauthorized user access by bypassing email-based authorization controls. This could compromise the confidentiality and integrity of user accounts and sensitive data, especially in applications relying solely on email domain checks for authorization. Attackers could impersonate users from trusted domains or escalate privileges by exploiting this input validation weakness. The impact is particularly critical for sectors handling sensitive personal data, such as finance, healthcare, and government services, where unauthorized access could lead to data breaches, regulatory non-compliance (e.g., GDPR violations), and reputational damage. Although availability impact is limited, the breach of authentication integrity undermines trust in affected services. Since exploitation does not require authentication or user interaction beyond sending a crafted sign-in request, the attack surface is broad, increasing risk exposure.

The primary mitigation is to upgrade NextAuth.js to versions 4.10.3 or later, or 3.29.10 or later, where the vulnerability is patched. For organizations unable to upgrade immediately, implement strict input normalization on the sign-in endpoint to reject or sanitize comma-separated email lists before processing. Utilize the newly introduced "normalizeIdentifier" callback in the EmailProvider configuration to enforce strict RFC2821-compliant email validation, preventing malformed or compound email inputs. Review and strengthen authorization logic to avoid simplistic string matching on email addresses; instead, parse and validate emails explicitly. Conduct thorough code audits to identify any assumptions about email format in authentication and authorization workflows. Monitor authentication logs for unusual sign-in attempts containing multiple emails or malformed addresses. Additionally, consider implementing multi-factor authentication (MFA) to reduce the risk of unauthorized access even if email validation is bypassed.