Summary
The message query parameter in /api/auth/email-callback is interpolated into the redirect URL without encoding, allowing parameter injection.
Actual behavior
redirect(`${next}?message=${message}&type=update_email`)A crafted URL like /api/auth/email-callback?message=foo%26error%3Dinjected would produce:
/dashboard/account?message=foo&error=injected&type=update_email
The &error=injected part breaks out of the message parameter and injects an additional query param. This is inconsistent with encodedRedirect() used elsewhere in the same file (line 21), which properly encodes values.
Expected behavior
The message value should be encoded before interpolation to prevent parameter injection.
Fix
redirect(`${next}?message=${encodeURIComponent(message)}&type=update_email`)Both redirect calls on lines 17 and 27 are affected.
Summary
The
messagequery parameter in/api/auth/email-callbackis interpolated into the redirect URL without encoding, allowing parameter injection.Actual behavior
A crafted URL like
/api/auth/email-callback?message=foo%26error%3Dinjectedwould produce:The
&error=injectedpart breaks out of themessageparameter and injects an additional query param. This is inconsistent withencodedRedirect()used elsewhere in the same file (line 21), which properly encodes values.Expected behavior
The
messagevalue should be encoded before interpolation to prevent parameter injection.Fix
Both redirect calls on lines 17 and 27 are affected.