fix: security issue from nodemailer (#13304)

Author: himself65

packages/next-auth/package.json

@@ -101,7 +101,7 @@
   "peerDependencies": {
     "@auth/core": "0.34.2",
     "next": "^12.2.5 || ^13 || ^14 || ^15",
-    "nodemailer": "^6.6.5",
+    "nodemailer": "^7.0.7",
     "react": "^17.0.2 || ^18 || ^19",
     "react-dom": "^17.0.2 || ^18 || ^19"
   },

packages/next-auth/src/core/routes/signin.ts

@@ -39,12 +39,39 @@ export default async function signin(params: {
     const normalizer: (identifier: string) => string =
       provider.normalizeIdentifier ??
       ((identifier) => {
+        const trimmedEmail = identifier.trim()
+
+        // Validate email format according to RFC 5321/5322
+        // Reject emails with quotes in the local part to prevent address parser exploits
+        // Reject multiple @ symbols which could indicate an exploit attempt
+        const atCount = (trimmedEmail.match(/@/g) ?? []).length
+        if (atCount !== 1) {
+          throw new Error("Invalid email address format.")
+        }
+
+        // Check for quotes in the email address which could be used for exploits
+        if (trimmedEmail.includes('"')) {
+          throw new Error("Invalid email address format.")
+        }
+
         // Get the first two elements only,
         // separated by `@` from user input.
-        let [local, domain] = identifier.toLowerCase().trim().split("@")
+        let [local, domain] = trimmedEmail.toLowerCase().split("@")
+
+        // Validate that both local and domain parts exist and are non-empty
+        if (!local || !domain) {
+          throw new Error("Invalid email address format.")
+        }
+
         // The part before "@" can contain a ","
         // but we remove it on the domain part
         domain = domain.split(",")[0]
+
+        // Additional validation: domain must have at least one dot
+        if (!domain.includes(".")) {
+          throw new Error("Invalid email address format.")
+        }
+
         return `${local}@${domain}`
       })