GHSA-569Q-MPPH-WGWW

Vulnerability from github – Published: 2025-12-01 21:29 – Updated: 2025-12-01 21:29
VLAI
Summary
Better Auth affected by external request basePath modification DoS
Details

Summary

Affected versions of Better Auth allow an external request to configure baseURL when it isn’t defined through any other means. This can be abused to poison the router’s base path, causing all routes to return 404 for all users.

This issue is only exploitable when baseURL is not explicitly configured (e.g., BETTER_AUTH_URL is missing) and the attacker is able to make the very first request to the server after startup. In properly configured environments or typical managed hosting platforms, this fallback behavior cannot be reached.

Details

A combination of X-Forwarded-Host and X-Forwarded-Proto is implicitly trusted. This allows the first request to configure baseURL whenever it is not explicitly configured.

Here's the code that reads the headers:

headers

Here's the call to getBaseURL(), the result is assigned to ctx.baseURL.

write

Here's the router receiving the poisoned basePath:

router

X-Forwarded-Host and X-Forwarded-Proto can be used to modify the pathname of a parsed URL object which forms baseURL. basePath is then derived from the pathname of baseURL. Once the router basePath is poisoned it fails to match & route incoming requests.

Repro

Start a better-auth server with no baseURL configuration.

Send the following request as the first request to the server:

curl -i --location 'https://example.com/api/auth/ok' \
--header 'X-Forwarded-Proto: some:' \
--header 'X-Forwarded-Host: junk'

The better-auth API check endpoint returns 404.

Now send a regular request without the X-Forwarded-Proto and X-Forwarded-Host headers.

curl -i --location 'https://example.com/api/auth/ok'

The better-auth API check endpoint still returns 404.

Example result

attack

We have modified the basePath for the router until the server is restarted. An attacker can repeatedly send these attack requests aiming to persistently exploit the vulnerability.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "better-auth"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.4.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-73"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-01T21:29:48Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "# Summary\n\nAffected versions of Better Auth allow an external request to configure `baseURL` when it isn\u2019t defined through any other means. This can be abused to poison the router\u2019s base path, causing all routes to return 404 for all users.\n\nThis issue is only exploitable when `baseURL` is not explicitly configured (e.g., `BETTER_AUTH_URL` is missing) *and* the attacker is able to make the very first request to the server after startup. In properly configured environments or typical managed hosting platforms, this fallback behavior cannot be reached.\n\n# Details\n\nA combination of `X-Forwarded-Host` and `X-Forwarded-Proto` is implicitly trusted. This allows the first request to configure baseURL whenever it is not explicitly configured.\n\nHere\u0027s the code that reads the headers:\n\n\u003cimg width=\"631\" height=\"219\" alt=\"headers\" src=\"https://github.com/user-attachments/assets/b3fb0078-a62f-4058-9d0b-4afbd30c4953\" /\u003e\n\nHere\u0027s the call to `getBaseURL()`, the result is assigned to `ctx.baseURL`.\n\n\u003cimg width=\"838\" height=\"414\" alt=\"write\" src=\"https://github.com/user-attachments/assets/a7b4dd17-75c3-49ef-9d08-6a2079d6a0ea\" /\u003e\n\nHere\u0027s the router receiving the poisoned `basePath`:\n\n\u003cimg width=\"594\" height=\"372\" alt=\"router\" src=\"https://github.com/user-attachments/assets/5fdf2862-9cd1-4b96-b146-18e67d904157\" /\u003e\n\n`X-Forwarded-Host` and `X-Forwarded-Proto` can be used to modify the pathname of a parsed URL object which forms `baseURL`. `basePath` is then derived from the pathname of `baseURL`. Once the router `basePath` is poisoned it fails to match \u0026 route incoming requests.\n\n# Repro\n\nStart a better-auth server with no `baseURL` configuration.\n\nSend the following request as the first request to the server:\n\n```curl\ncurl -i --location \u0027https://example.com/api/auth/ok\u0027 \\\n--header \u0027X-Forwarded-Proto: some:\u0027 \\\n--header \u0027X-Forwarded-Host: junk\u0027\n```\n\nThe better-auth API check endpoint returns 404.\n\nNow send a regular request without the `X-Forwarded-Proto` and `X-Forwarded-Host` headers.\n\n```curl\ncurl -i --location \u0027https://example.com/api/auth/ok\u0027\n```\n\nThe better-auth API check endpoint still returns 404.\n\n_Example result_\n\n\u003cimg width=\"662\" height=\"307\" alt=\"attack\" src=\"https://github.com/user-attachments/assets/5a9cfdb5-3db7-4504-9f0a-b3c32a6dc823\" /\u003e\n\nWe have modified the `basePath` for the router until the server is restarted. An attacker can repeatedly send these attack requests aiming to persistently exploit the vulnerability.",
  "id": "GHSA-569q-mpph-wgww",
  "modified": "2025-12-01T21:29:48Z",
  "published": "2025-12-01T21:29:48Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-569q-mpph-wgww"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ray-project/ray/commit/70e7c72780bdec075dba6cad1afe0832772bfe09"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/better-auth/better-auth"
    },
    {
      "type": "WEB",
      "url": "https://github.com/better-auth/better-auth/releases/tag/v1.4.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Better Auth affected by external request basePath modification DoS"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…