ghsa-36rg-gfq2-3h56
Vulnerability from github
Published
2025-07-07 22:13
Modified
2025-07-07 22:13
Severity ?
VLAI Severity ?
Summary
Better Auth Open Redirect Vulnerability in originCheck Middleware Affects Multiple Routes
Details
Summary
An open redirect has been found in the originCheck middleware function, which affects the following routes: /verify-email, /reset-password/:token, /delete-user/callback, /magic-link/verify, /oauth-proxy-callback.
Details
In the matchesPattern function, url.startsWith( can be deceived with a url that starts with one of the trustedOrigins.
jsx
const matchesPattern = (url: string, pattern: string): boolean => {
if (url.startsWith("/")) {
return false;
}
if (pattern.includes("*")) {
return wildcardMatch(pattern)(getHost(url));
}
return url.startsWith(pattern);
};
Open Redirect PoCs
jsx
export const auth = betterAuth({
baseURL: 'http://localhost:3000',
trustedOrigins: [
"http://trusted.com"
],
emailAndPassword: {
...
},
})
/reset-password/:token
/verify-email
/delete-user/callback
/magic-link/verify
/oauth-proxy-callback
Impact
Untrusted open redirects in various routes.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.2.9"
},
"package": {
"ecosystem": "npm",
"name": "better-auth"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.2.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-53535"
],
"database_specific": {
"cwe_ids": [
"CWE-601"
],
"github_reviewed": true,
"github_reviewed_at": "2025-07-07T22:13:14Z",
"nvd_published_at": "2025-07-07T18:15:28Z",
"severity": "LOW"
},
"details": "### Summary\n\nAn open redirect has been found in the `originCheck` middleware function, which affects the following routes: `/verify-email`, `/reset-password/:token`, `/delete-user/callback`, `/magic-link/verify`, `/oauth-proxy-callback`.\n\n### Details\n\nIn the `matchesPattern` function, `url.startsWith(` can be deceived with a `url` that starts with one of the `trustedOrigins`.\n\n```jsx\n\t\tconst matchesPattern = (url: string, pattern: string): boolean =\u003e {\n\t\t\tif (url.startsWith(\"/\")) {\n\t\t\t\treturn false;\n\t\t\t}\n\t\t\tif (pattern.includes(\"*\")) {\n\t\t\t\treturn wildcardMatch(pattern)(getHost(url));\n\t\t\t}\n\t\t\treturn url.startsWith(pattern);\n\t\t};\n```\n\n### Open Redirect PoCs\n\n```jsx\nexport const auth = betterAuth({\n\tbaseURL: \u0027http://localhost:3000\u0027,\n\ttrustedOrigins: [\n\t\t\"http://trusted.com\"\n\t],\n\temailAndPassword: {\n\t\t...\n\t},\n})\n```\n\n#### `/reset-password/:token`\n\n\u003cimg width=\"481\" alt=\"image\" src=\"https://github.com/user-attachments/assets/46e7871a-1dad-4375-af94-0446e29aaab6\" /\u003e\n\u003cbr/\u003e\n\u003cimg width=\"518\" alt=\"image 1\" src=\"https://github.com/user-attachments/assets/83abfb53-6fc9-4d1f-918d-9b4ce093c808\" /\u003e\n\n#### `/verify-email`\n\n\u003cimg width=\"549\" alt=\"image\" src=\"https://github.com/user-attachments/assets/7dd424b7-42a4-4616-aa73-fcc2e3eeb309\" /\u003e\n\u003cbr/\u003e\n\u003cimg width=\"436\" alt=\"image\" src=\"https://github.com/user-attachments/assets/54f11636-0a3e-4e83-9a09-57c5e8ba98cd\" /\u003e\n\n#### `/delete-user/callback`\n\n\u003cimg width=\"545\" alt=\"image\" src=\"https://github.com/user-attachments/assets/2ff1b217-d069-48fb-81c1-f8c8792d34a4\" /\u003e\n\u003cbr/\u003e\n\u003cimg width=\"492\" alt=\"image\" src=\"https://github.com/user-attachments/assets/71df11db-9d38-4f34-abe1-add9d60b3486\" /\u003e\n\n#### `/magic-link/verify`\n\n\u003cimg width=\"379\" alt=\"image\" src=\"https://github.com/user-attachments/assets/6b6b6a8a-59b6-4a65-9df3-57d5b2f6eb0f\" /\u003e\n\u003cbr/\u003e\n\u003cimg width=\"413\" alt=\"image\" src=\"https://github.com/user-attachments/assets/82a5c9c6-2ea0-44eb-af48-40732657b59e\" /\u003e\n\n#### `/oauth-proxy-callback`\n\n\u003cimg width=\"548\" alt=\"image\" src=\"https://github.com/user-attachments/assets/d8d2ee51-e9fd-4337-bec3-a70afd1ceacb\" /\u003e\n\u003cbr/\u003e\n\u003cimg width=\"544\" alt=\"image\" src=\"https://github.com/user-attachments/assets/f097d406-b965-4f85-b124-9b0ef1cc2689\" /\u003e\n\n### Impact\n\nUntrusted open redirects in various routes.",
"id": "GHSA-36rg-gfq2-3h56",
"modified": "2025-07-07T22:13:14Z",
"published": "2025-07-07T22:13:14Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-36rg-gfq2-3h56"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53535"
},
{
"type": "WEB",
"url": "https://github.com/better-auth/better-auth/commit/9801d1be53d9da04686b94c6286c53ec97496740"
},
{
"type": "PACKAGE",
"url": "https://github.com/better-auth/better-auth"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
],
"summary": "Better Auth Open Redirect Vulnerability in originCheck Middleware Affects Multiple Routes"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…