CVE-2025-27143

{"id": "CVE-2025-27143", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-02-24T23:15:11.160", "references": [{"url": "https://github.com/better-auth/better-auth/commit/24659aefc35a536b95ea4e5347e52c8803910153", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/better-auth/better-auth/commit/b381cac7aafd6aa53ef78b6ab771ebfa24643c80", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/better-auth/better-auth/releases/tag/v1.1.21", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-8jhw-6pjj-8723", "tags": ["Not Applicable"], "source": "security-advisories@github.com"}, {"url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-hjpm-7mrm-26w8", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-601"}]}], "descriptions": [{"lang": "en", "value": "Better Auth is an authentication and authorization library for TypeScript. Prior to version 1.1.21, the application is vulnerable to an open redirect due to improper validation of the callbackURL parameter in the email verification endpoint and any other endpoint that accepts callback url. While the server blocks fully qualified URLs, it incorrectly allows scheme-less URLs. This results in the browser interpreting the URL as a fully qualified URL, leading to unintended redirection. An attacker can exploit this flaw by crafting a malicious verification link and tricking users into clicking it. Upon successful email verification, the user will be automatically redirected to the attacker's website, which can be used for phishing, malware distribution, or stealing sensitive authentication tokens. This CVE is a bypass of the fix for GHSA-8jhw-6pjj-8723/CVE-2024-56734. Version 1.1.21 contains an updated patch."}, {"lang": "es", "value": "Better Auth es una librer\u00eda de autenticaci\u00f3n y autorizaci\u00f3n para TypeScript. Antes de la versi\u00f3n 1.1.21, la aplicaci\u00f3n era vulnerable a una redirecci\u00f3n abierta debido a una validaci\u00f3n incorrecta del par\u00e1metro callbackURL en el endpoint de verificaci\u00f3n de correo electr\u00f3nico y cualquier otro endpoint que acepte una URL de devoluci\u00f3n de llamada. Si bien el servidor bloquea las URL completamente calificadas, permite incorrectamente las URL sin esquema. Esto hace que el navegador interprete la URL como una URL completamente calificada, lo que genera una redirecci\u00f3n no deseada. Un atacante puede explotar este fallo creando un enlace de verificaci\u00f3n malicioso y enga\u00f1ando a los usuarios para que hagan clic en \u00e9l. Tras una verificaci\u00f3n de correo electr\u00f3nico exitosa, el usuario ser\u00e1 redirigido autom\u00e1ticamente al sitio web del atacante, que puede usarse para suplantaci\u00f3n de identidad, distribuci\u00f3n de malware o robo de tokens de autenticaci\u00f3n confidenciales. Esta CVE es una omisi\u00f3n de la correcci\u00f3n para GHSA-8jhw-6pjj-8723/CVE-2024-56734. La versi\u00f3n 1.1.21 contiene un parche actualizado."}], "lastModified": "2025-02-28T16:07:41.847", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:better-auth:better_auth:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "31BED966-390F-4645-B4C8-DD62F07542B4", "versionEndExcluding": "1.1.21"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}