CVE-2025-27143

Better Auth is an authentication and authorization library for TypeScript. Prior to version 1.1.21, the application is vulnerable to an open redirect due to improper validation of the callbackURL parameter in the email verification endpoint and any other endpoint that accepts callback url. While the server blocks fully qualified URLs, it incorrectly allows scheme-less URLs. This results in the browser interpreting the URL as a fully qualified URL, leading to unintended redirection. An attacker can exploit this flaw by crafting a malicious verification link and tricking users into clicking it. Upon successful email verification, the user will be automatically redirected to the attacker's website, which can be used for phishing, malware distribution, or stealing sensitive authentication tokens. This CVE is a bypass of the fix for GHSA-8jhw-6pjj-8723/CVE-2024-56734. Version 1.1.21 contains an updated patch.

CVSS v3 6.1 MEDIUM

6.1^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/better-auth/better-auth/commit/24659aefc35a536b95ea4e5347e52c8803910153	Patch
https://github.com/better-auth/better-auth/commit/b381cac7aafd6aa53ef78b6ab771ebfa24643c80	Patch
https://github.com/better-auth/better-auth/releases/tag/v1.1.21	Release Notes
https://github.com/better-auth/better-auth/security/advisories/GHSA-8jhw-6pjj-8723	Not Applicable
https://github.com/better-auth/better-auth/security/advisories/GHSA-hjpm-7mrm-26w8	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:better-auth:better_auth:*:*:*:*:*:node.js:*:*

History

No history.

Information

Published : 2025-02-24 23:15

Updated : 2025-02-28 16:12

NVD link : CVE-2025-27143

Mitre link : CVE-2025-27143

CVE.ORG link : CVE-2025-27143

JSON object : View

Products Affected

better-auth

better_auth

CWE

CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

{"id": "CVE-2025-27143", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "LOW", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-02-24T23:15:11.160", "references": [{"url": "https://github.com/better-auth/better-auth/commit/24659aefc35a536b95ea4e5347e52c8803910153", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/better-auth/better-auth/commit/b381cac7aafd6aa53ef78b6ab771ebfa24643c80", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/better-auth/better-auth/releases/tag/v1.1.21", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-8jhw-6pjj-8723", "tags": ["Not Applicable"], "source": "security-advisories@github.com"}, {"url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-hjpm-7mrm-26w8", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-601"}]}], "descriptions": [{"lang": "en", "value": "Better Auth is an authentication and authorization library for TypeScript. Prior to version 1.1.21, the application is vulnerable to an open redirect due to improper validation of the callbackURL parameter in the email verification endpoint and any other endpoint that accepts callback url. While the server blocks fully qualified URLs, it incorrectly allows scheme-less URLs. This results in the browser interpreting the URL as a fully qualified URL, leading to unintended redirection. An attacker can exploit this flaw by crafting a malicious verification link and tricking users into clicking it. Upon successful email verification, the user will be automatically redirected to the attacker's website, which can be used for phishing, malware distribution, or stealing sensitive authentication tokens. This CVE is a bypass of the fix for GHSA-8jhw-6pjj-8723/CVE-2024-56734. Version 1.1.21 contains an updated patch."}, {"lang": "es", "value": "Better Auth es una librer\u00eda de autenticaci\u00f3n y autorizaci\u00f3n para TypeScript. Antes de la versi\u00f3n 1.1.21, la aplicaci\u00f3n era vulnerable a una redirecci\u00f3n abierta debido a una validaci\u00f3n incorrecta del par\u00e1metro callbackURL en el endpoint de verificaci\u00f3n de correo electr\u00f3nico y cualquier otro endpoint que acepte una URL de devoluci\u00f3n de llamada. Si bien el servidor bloquea las URL completamente calificadas, permite incorrectamente las URL sin esquema. Esto hace que el navegador interprete la URL como una URL completamente calificada, lo que genera una redirecci\u00f3n no deseada. Un atacante puede explotar este fallo creando un enlace de verificaci\u00f3n malicioso y enga\u00f1ando a los usuarios para que hagan clic en \u00e9l. Tras una verificaci\u00f3n de correo electr\u00f3nico exitosa, el usuario ser\u00e1 redirigido autom\u00e1ticamente al sitio web del atacante, que puede usarse para suplantaci\u00f3n de identidad, distribuci\u00f3n de malware o robo de tokens de autenticaci\u00f3n confidenciales. Esta CVE es una omisi\u00f3n de la correcci\u00f3n para GHSA-8jhw-6pjj-8723/CVE-2024-56734. La versi\u00f3n 1.1.21 contiene un parche actualizado."}], "lastModified": "2025-02-28T16:12:58.530", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:better-auth:better_auth:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "31BED966-390F-4645-B4C8-DD62F07542B4", "versionEndExcluding": "1.1.21"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}