CVE-2025-27143

Better Auth is an authentication and authorization library for TypeScript. Prior to version 1.1.21, the application is vulnerable to an open redirect due to improper validation of the callbackURL parameter in the email verification endpoint and any other endpoint that accepts callback url. While the server blocks fully qualified URLs, it incorrectly allows scheme-less URLs. This results in the browser interpreting the URL as a fully qualified URL, leading to unintended redirection. An attacker can exploit this flaw by crafting a malicious verification link and tricking users into clicking it. Upon successful email verification, the user will be automatically redirected to the attacker's website, which can be used for phishing, malware distribution, or stealing sensitive authentication tokens. This CVE is a bypass of the fix for GHSA-8jhw-6pjj-8723/CVE-2024-56734. Version 1.1.21 contains an updated patch.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/better-auth/better-auth/commit/24659aefc35a536b95ea4e5347e52c8803910153	Patch
https://github.com/better-auth/better-auth/commit/b381cac7aafd6aa53ef78b6ab771ebfa24643c80	Patch
https://github.com/better-auth/better-auth/releases/tag/v1.1.21	Release Notes
https://github.com/better-auth/better-auth/security/advisories/GHSA-8jhw-6pjj-8723	Not Applicable
https://github.com/better-auth/better-auth/security/advisories/GHSA-hjpm-7mrm-26w8	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:better-auth:better_auth:*:*:*:*:*:node.js:*:*

History

28 Feb 2025, 16:07

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 6.1
CPE		cpe:2.3:a:better-auth:better_auth::::::node.js::*
First Time		Better-auth Better-auth better Auth
References	~~() https://github.com/better-auth/better-auth/commit/24659aefc35a536b95ea4e5347e52c8803910153 -~~	() https://github.com/better-auth/better-auth/commit/24659aefc35a536b95ea4e5347e52c8803910153 - Patch
References	~~() https://github.com/better-auth/better-auth/commit/b381cac7aafd6aa53ef78b6ab771ebfa24643c80 -~~	() https://github.com/better-auth/better-auth/commit/b381cac7aafd6aa53ef78b6ab771ebfa24643c80 - Patch
References	~~() https://github.com/better-auth/better-auth/releases/tag/v1.1.21 -~~	() https://github.com/better-auth/better-auth/releases/tag/v1.1.21 - Release Notes
References	~~() https://github.com/better-auth/better-auth/security/advisories/GHSA-8jhw-6pjj-8723 -~~	() https://github.com/better-auth/better-auth/security/advisories/GHSA-8jhw-6pjj-8723 - Not Applicable
References	~~() https://github.com/better-auth/better-auth/security/advisories/GHSA-hjpm-7mrm-26w8 -~~	() https://github.com/better-auth/better-auth/security/advisories/GHSA-hjpm-7mrm-26w8 - Vendor Advisory
Summary		(es) Better Auth es una librería de autenticación y autorización para TypeScript. Antes de la versión 1.1.21, la aplicación era vulnerable a una redirección abierta debido a una validación incorrecta del parámetro callbackURL en el endpoint de verificación de correo electrónico y cualquier otro endpoint que acepte una URL de devolución de llamada. Si bien el servidor bloquea las URL completamente calificadas, permite incorrectamente las URL sin esquema. Esto hace que el navegador interprete la URL como una URL completamente calificada, lo que genera una redirección no deseada. Un atacante puede explotar este fallo creando un enlace de verificación malicioso y engañando a los usuarios para que hagan clic en él. Tras una verificación de correo electrónico exitosa, el usuario será redirigido automáticamente al sitio web del atacante, que puede usarse para suplantación de identidad, distribución de malware o robo de tokens de autenticación confidenciales. Esta CVE es una omisión de la corrección para GHSA-8jhw-6pjj-8723/CVE-2024-56734. La versión 1.1.21 contiene un parche actualizado.

24 Feb 2025, 23:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-02-24 23:15

Updated : 2025-02-28 16:07

NVD link : CVE-2025-27143

Mitre link : CVE-2025-27143

CVE.ORG link : CVE-2025-27143

JSON object : View

Products Affected

better-auth

better_auth

CWE

CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

6.1 /10