CVE-2024-56734

Better Auth is an authentication library for TypeScript. An open redirect vulnerability has been identified in the verify email endpoint of all versions of Better Auth prior to v1.1.6, potentially allowing attackers to redirect users to malicious websites. This issue affects users relying on email verification links generated by the library. The verify email callback endpoint accepts a `callbackURL` parameter. Unlike other verification methods, email verification only uses JWT to verify and redirect without proper validation of the target domain. The origin checker is bypassed in this scenario because it only checks for `POST` requests. An attacker can manipulate this parameter to redirect users to arbitrary URLs controlled by the attacker. Version 1.1.6 contains a patch for the issue.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/better-auth/better-auth/commit/deb3d73aea90d0468d92723f4511542b593e522f	Patch
https://github.com/better-auth/better-auth/security/advisories/GHSA-8jhw-6pjj-8723	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:better-auth:better_auth:*:*:*:*:*:node.js:*:*

History

No history.

Information

Published : 2024-12-30 17:15

Updated : 2025-10-20 16:15

NVD link : CVE-2024-56734

Mitre link : CVE-2024-56734

CVE.ORG link : CVE-2024-56734

JSON object : View

Products Affected

better-auth

better_auth

CWE

CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

{"id": "CVE-2024-56734", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2024-12-30T17:15:10.133", "references": [{"url": "https://github.com/better-auth/better-auth/commit/deb3d73aea90d0468d92723f4511542b593e522f", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-8jhw-6pjj-8723", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-601"}]}], "descriptions": [{"lang": "en", "value": "Better Auth is an authentication library for TypeScript. An open redirect vulnerability has been identified in the verify email endpoint of all versions of Better Auth prior to v1.1.6, potentially allowing attackers to redirect users to malicious websites. This issue affects users relying on email verification links generated by the library. The verify email callback endpoint accepts a `callbackURL` parameter. Unlike other verification methods, email verification only uses JWT to verify and redirect without proper validation of the target domain. The origin checker is bypassed in this scenario because it only checks for `POST` requests. An attacker can manipulate this parameter to redirect users to arbitrary URLs controlled by the attacker. Version 1.1.6 contains a patch for the issue."}, {"lang": "es", "value": "Better Auth es una librer\u00eda de autenticaci\u00f3n para TypeScript. Se ha identificado una vulnerabilidad de redirecci\u00f3n abierta en el endpoint de verificaci\u00f3n de correo electr\u00f3nico de todas las versiones de Better Auth anteriores a la v1.1.6, lo que potencialmente permite a los atacantes redirigir a los usuarios a sitios web maliciosos. Este problema afecta a los usuarios que dependen de los enlaces de verificaci\u00f3n de correo electr\u00f3nico generados por la librer\u00eda. El endpoint de devoluci\u00f3n de llamada de verificaci\u00f3n de correo electr\u00f3nico acepta un par\u00e1metro `callbackURL`. A diferencia de otros m\u00e9todos de verificaci\u00f3n, la verificaci\u00f3n de correo electr\u00f3nico solo utiliza JWT para verificar y redirigir sin la validaci\u00f3n adecuada del dominio de destino. El verificador de origen se omite en este escenario porque solo verifica las solicitudes `POST`. Un atacante puede manipular este par\u00e1metro para redirigir a los usuarios a URL arbitrarias controladas por el atacante. La versi\u00f3n 1.1.6 contiene un parche para el problema."}], "lastModified": "2025-10-20T16:15:38.140", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:better-auth:better_auth:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "EA9CEF97-8CA3-4FAA-9D01-B07D1E331658", "versionEndExcluding": "1.1.6"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}