fix(deps): update dependency better-auth to v1.1.21 [security] #993
+13
−7
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
renovate
bot
force-pushed
the
renovate/npm-better-auth-vulnerability
branch
from
f54b89e to
63d6f7a
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/npm-better-auth-vulnerability
branch
from
63d6f7a to
3acb0f9
Compare
renovate
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.1.10->1.1.21GitHub Vulnerability Alerts
GHSA-9x4v-xfq5-m8x5
Summary
The better-auth
/api/auth/errorpage was vulnerable to HTML injection, resulting in a reflected cross-site scripting (XSS) vulnerability.Details
The value of
errorURL parameter was reflected as HTML on the error page: https://github.com/better-auth/better-auth/blob/05ada0b79dbcac93cc04ceb79b23ca598d07830c/packages/better-auth/src/api/routes/error.ts#L81PoC
https://demo.better-auth.com/api/auth/error?error=%3Cscript%3Ealert(1)%3C/script%3E
Impact
An attacker who exploited this vulnerability by coercing a user to visit a specially-crafted URL could execute arbitrary JavaScript in the context of the user's browser.
Because better-auth is a dependency of web applications, the impact of such a vulnerability is unknowable; it depends on the functionality of the application/site using better-auth. I have calculated the CVSS score assuming the hypothetical victim is an administrator with elevated permissions and access.
CVE-2025-27143
Summary
The application is vulnerable to an open redirect due to improper validation of the callbackURL parameter in the email verification endpoint and any other endpoint that accepts callback url. While the server blocks fully qualified URLs (e.g., https://evil.com), it incorrectly allows scheme-less URLs (e.g., //malicious-site.com). This results in the browser interpreting the URL as https://malicious-site.com, leading to unintended redirection.
bypass for : GHSA-8jhw-6pjj-8723
Affected Versions
All versions prior to 1.1.19
Details
The application’s email verification endpoint (/auth/verify-email) accepts a callbackURL parameter intended to redirect users after successful email verification. While the server correctly blocks fully qualified external URLs (e.g., https://evil.com), it improperly allows scheme-less URLs (e.g., //malicious-site.com). This issue occurs because browsers interpret //malicious-site.com as https://malicious-site.com, leading to an open redirect vulnerability.
An attacker can exploit this flaw by crafting a malicious verification link and tricking users into clicking it. Upon successful email verification, the user will be automatically redirected to the attacker's website, which can be used for phishing, malware distribution, or stealing sensitive authentication tokens.
Impact
Phishing & Credential Theft – Attackers can redirect users to a fake login page, tricking them into entering sensitive credentials, which can then be stolen.
Session Hijacking & Token Theft – If used in OAuth flows, an attacker could redirect authentication tokens to their own domain, leading to account takeover.
GHSA-vp58-j275-797x
Summary
A bypass was found for the security feature trustedOrigins. This works for wild card or absolute URLs trustedOrigins configs and opens the victims website to a Open Redirect vulnerability, where it can be used to steal the reset password token of a victims account by changing the "callbackURL" parameter value to a website owned by the attacker.
Details
Absolute URLs
The issue here appears in the middleware, specifically. This protection is not sufficiente and it allows attackers to get a open redirect, by using the payload
/\/example.com. We can check this is a valid URL ( or it will be a valid URL because the URL parser fix it for us ), by checking the image bellow:Regex
The issue here is because the regex is not strong enough
[^/\\]*?\.example\.com[/\\]*?( this is the regex it will be created if we have a wildcard as config ), but we can bypass by using a payload like:This works because : and ? are special chars in a URL, so when the URL parser sees, http: it will fix our happily fix our URL to http://attacker.com? and make
.example.comas parameter, thus, bypassing this checkPoC
We can PoC the open redirect by using the
demo.better-auth.com.If we access the URL bellow, we are redirected to example.com:
Impact
Every single website using the better-auth library, is vulnerable to un-auth open redirect and more importantilly, vulnerable to potential one click account take over vulnerability, as the attacker can send the victim a email to reset their account while changing the "redirectTo" parameter here, and when the victim clicks on the link, the reset token is sent to the attackers website, thus making the attacker to use the token stolen and reset the password of the victim.
Release Notes
better-auth/better-auth (better-auth)
v1.1.21Compare Source
🐞 Bug Fixes
View changes on GitHub
v1.1.20Compare Source
🚀 Features
🐞 Bug Fixes
View changes on GitHub
v1.1.19Compare Source
🚀 Features
🐞 Bug Fixes
getSessionFromCtxoverrides query param - by @Kinfe123 in https://github.com/better-auth/better-auth/issues/1496 (261fe)idfield in generated OpenAPI for each schema (Models) - by @astahmer in https://github.com/better-auth/better-auth/issues/1491 (add38)View changes on GitHub
v1.1.18Compare Source
🚀 Features
🐞 Bug Fixes
View changes on GitHub
v1.1.17Compare Source
🐞 Bug Fixes
idas a reference - by @Bekacru (745f9)View changes on GitHub
v1.1.16Compare Source
🚀 Features
🐞 Bug Fixes
getModelName- by @chrnorm in https://github.com/better-auth/better-auth/issues/1329 (9a3e2)View changes on GitHub
v1.1.15Compare Source
🚀 Features
🐞 Bug Fixes
sendInvitationEmailuse lowercase email - by @ping-maxwell in https://github.com/better-auth/better-auth/issues/1283 (5f34c)View changes on GitHub
v1.1.14Compare Source
🚀 Features
🐞 Bug Fixes
View changes on GitHub
v1.1.13Compare Source
🐞 Bug Fixes
View changes on GitHub
v1.1.12Compare Source
🚀 Features
🐞 Bug Fixes
View changes on GitHub
v1.1.11Compare Source
🐞 Bug Fixes
View changes on GitHub
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.