| 0 |
| url |
VCID-69mc-pa6e-zyf3 |
| vulnerability_id |
VCID-69mc-pa6e-zyf3 |
| summary |
Better Auth is an authentication and authorization library for TypeScript. Prior to version 1.1.21, the application is vulnerable to an open redirect due to improper validation of the callbackURL parameter in the email verification endpoint and any other endpoint that accepts callback url. While the server blocks fully qualified URLs, it incorrectly allows scheme-less URLs. This results in the browser interpreting the URL as a fully qualified URL, leading to unintended redirection. An attacker can exploit this flaw by crafting a malicious verification link and tricking users into clicking it. Upon successful email verification, the user will be automatically redirected to the attacker's website, which can be used for phishing, malware distribution, or stealing sensitive authentication tokens. This CVE is a bypass of the fix for GHSA-8jhw-6pjj-8723/CVE-2024-56734. Version 1.1.21 contains an updated patch. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2025-27143, GHSA-hjpm-7mrm-26w8
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-69mc-pa6e-zyf3 |
|
| 1 |
| url |
VCID-736k-tj73-nuex |
| vulnerability_id |
VCID-736k-tj73-nuex |
| summary |
Better Auth URL parameter HTML Injection (Reflected Cross-Site scripting)
### Summary
The better-auth `/api/auth/error` page was vulnerable to HTML injection, resulting in a reflected cross-site scripting (XSS) vulnerability.
### Details
The value of `error` URL parameter was reflected as HTML on the error page: https://github.com/better-auth/better-auth/blob/05ada0b79dbcac93cc04ceb79b23ca598d07830c/packages/better-auth/src/api/routes/error.ts#L81
### Impact
An attacker who exploited this vulnerability by coercing a user to visit a specially-crafted URL could execute arbitrary JavaScript in the context of the user's browser. |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-9x4v-xfq5-m8x5
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-736k-tj73-nuex |
|
| 2 |
| url |
VCID-hv9u-qvqb-c3by |
| vulnerability_id |
VCID-hv9u-qvqb-c3by |
| summary |
Better Auth Has Two-Factor Authentication Bypass via Premature Session Caching (session.cookieCache)
### Summary
Under certain configurations, sessions may be considered valid before two-factor authentication (2FA) is fully completed. This can allow access to authenticated routes without verifying the second factor.
---
### Description
When two-factor authentication is enabled, the authentication flow correctly identifies users who require additional verification and defers full authentication until the second factor is completed.
However, when `session.cookieCache` is enabled, the session generated during the initial sign-in step may be cached as valid **prior to 2FA verification**. Subsequent session lookups may then return this cached session without re-evaluating the 2FA requirement.
This results in a situation where session validity can be established before all authentication constraints are satisfied.
---
### Impact
An attacker (or user) with valid primary credentials may gain access to protected application routes without completing the required second authentication factor.
Any application using `better-auth` with both two-factor authentication and session cookie caching enabled may be affected.
---
### Mitigation
* Upgrade to a version of `better-auth` that includes the fix for this issue.
* Ensure that session caching does not treat sessions as fully authenticated until all required authentication steps, including 2FA, are completed.
* As a temporary workaround, disable `session.cookieCache` when using two-factor authentication. |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-xg6x-h9c9-2m83
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-hv9u-qvqb-c3by |
|
| 3 |
| url |
VCID-mk24-jqdu-euh7 |
| vulnerability_id |
VCID-mk24-jqdu-euh7 |
| summary |
Better Auth allows bypassing the trustedOrigins Protection which leads to ATO
### Summary
A bypass was discovered in the trustedOrigins validation logic—affecting both absolute URL entries and wildcard domain patterns. This flaw allows an attacker to construct a malicious callbackURL that passes origin checks and triggers an open redirect.
Because redirect endpoints include sensitive tokens (such as password-reset tokens), this vulnerability can enable one-click account takeover if a victim clicks a crafted link. |
| references |
|
| fixed_packages |
|
| aliases |
GHSA-vp58-j275-797x
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-mk24-jqdu-euh7 |
|
| 4 |
| url |
VCID-qxvr-3p5w-vke6 |
| vulnerability_id |
VCID-qxvr-3p5w-vke6 |
| summary |
Better Auth is an authentication library for TypeScript. An open redirect vulnerability has been identified in the verify email endpoint of all versions of Better Auth prior to v1.1.6, potentially allowing attackers to redirect users to malicious websites. This issue affects users relying on email verification links generated by the library. The verify email callback endpoint accepts a `callbackURL` parameter. Unlike other verification methods, email verification only uses JWT to verify and redirect without proper validation of the target domain. The origin checker is bypassed in this scenario because it only checks for `POST` requests. An attacker can manipulate this parameter to redirect users to arbitrary URLs controlled by the attacker. Version 1.1.6 contains a patch for the issue. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2024-56734, GHSA-8jhw-6pjj-8723
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qxvr-3p5w-vke6 |
|
| 5 |
| url |
VCID-wq9k-qm9f-h3aa |
| vulnerability_id |
VCID-wq9k-qm9f-h3aa |
| summary |
Better Auth is an authentication and authorization library for TypeScript. An open redirect has been found in the originCheck middleware function, which affects the following routes: /verify-email, /reset-password/:token, /delete-user/callback, /magic-link/verify, /oauth-proxy-callback. This vulnerability is fixed in 1.2.10. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/better-auth/better-auth |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
2.1 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
|
| 1 |
| value |
LOW |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/better-auth/better-auth |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-53535, GHSA-36rg-gfq2-3h56
|
| risk_score |
1.4 |
| exploitability |
0.5 |
| weighted_severity |
2.7 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-wq9k-qm9f-h3aa |
|
| 6 |
|
| 7 |
| url |
VCID-xcfr-utg2-u7a8 |
| vulnerability_id |
VCID-xcfr-utg2-u7a8 |
| summary |
Better Auth is an authentication and authorization library for TypeScript. In versions prior to 1.3.26, unauthenticated attackers can create or modify API keys for any user by passing that user's id in the request body to the `api/auth/api-key/create` route. `session?.user ?? (authRequired ? null : { id: ctx.body.userId })`. When no session exists but `userId` is present in the request body, `authRequired` becomes false and the user object is set to the attacker-controlled ID. Server-only field validation only executes when `authRequired` is true (lines 280-295), allowing attackers to set privileged fields. No additional authentication occurs before the database operation, so the malicious payload is accepted. The same pattern exists in the update endpoint. This is a critical authentication bypass enabling full an unauthenticated attacker can generate an API key for any user and immediately gain complete authenticated access. This allows the attacker to perform any action as the victim user using the api key, potentially compromise the user data and the application depending on the victim's privileges. Version 1.3.26 contains a patch for the issue. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2025-61928, GHSA-99h5-pjcv-gr6v
|
| risk_score |
4.2 |
| exploitability |
0.5 |
| weighted_severity |
8.4 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xcfr-utg2-u7a8 |
|
| 8 |
|