fix: security issue from nodemailer (#13305)

Author: himself65

packages/core/package.json

@@ -76,7 +76,7 @@
   "peerDependencies": {
     "@simplewebauthn/browser": "^9.0.1",
     "@simplewebauthn/server": "^9.0.2",
-    "nodemailer": "^6.8.0"
+    "nodemailer": "^7.0.7"
   },
   "peerDependenciesMeta": {
     "@simplewebauthn/browser": {

packages/core/src/lib/actions/signin/send-token.ts

@@ -93,11 +93,32 @@ export async function sendToken(
 
 function defaultNormalizer(email?: string) {
   if (!email) throw new Error("Missing email from request body.")
+
+  const trimmedEmail = email.toLowerCase().trim()
+
+  // Reject email addresses with quotes to prevent address parser confusion
+  // This prevents attacks like "[email protected]"@victim.com
+  if (trimmedEmail.includes('"')) {
+    throw new Error("Invalid email address format.")
+  }
+
   // Get the first two elements only,
   // separated by `@` from user input.
-  let [local, domain] = email.toLowerCase().trim().split("@")
+  let [local, domain] = trimmedEmail.split("@")
+
+  // Validate that we have exactly 2 parts (local and domain)
+  if (!local || !domain || trimmedEmail.split("@").length !== 2) {
+    throw new Error("Invalid email address format.")
+  }
+
   // The part before "@" can contain a ","
   // but we remove it on the domain part
   domain = domain.split(",")[0]
+
+  // Additional validation: domain should not be empty after comma split
+  if (!domain) {
+    throw new Error("Invalid email address format.")
+  }
+
   return `${local}@${domain}`
 }

packages/frameworks-sveltekit/package.json

@@ -57,7 +57,7 @@
     "@simplewebauthn/browser": "^9.0.1",
     "@simplewebauthn/server": "^9.0.3",
     "@sveltejs/kit": "^1.0.0 || ^2.0.0",
-    "nodemailer": "^6.6.5",
+    "nodemailer": "^7.0.7",
     "svelte": "^3.54.0 || ^4.0.0 || ^5.0.0-0"
   },
   "peerDependenciesMeta": {

packages/next-auth/package.json

@@ -92,7 +92,7 @@
     "@simplewebauthn/browser": "^9.0.1",
     "@simplewebauthn/server": "^9.0.2",
     "next": "^14.0.0-0 || ^15.0.0-0",
-    "nodemailer": "^6.6.5",
+    "nodemailer": "^7.0.7",
     "react": "^18.2.0 || ^19.0.0-0"
   },
   "peerDependenciesMeta": {
@@ -110,7 +110,7 @@
     "@types/react": "18.0.37",
     "dotenv": "^10.0.0",
     "next": "15.3.1",
-    "nodemailer": "^6.9.3",
+    "nodemailer": "^7.0.7",
     "react": "^18.2.0"
   }
 }