Publish Advisories

GHSA-9x4v-xfq5-m8x5
GHSA-vp58-j275-797x

Author: advisory-database[bot]

advisories/github-reviewed/2025/02/GHSA-9x4v-xfq5-m8x5/GHSA-9x4v-xfq5-m8x5.json

@@ -1,15 +1,15 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-9x4v-xfq5-m8x5",
-  "modified": "2025-02-05T21:49:39Z",
+  "modified": "2025-12-09T16:26:23Z",
   "published": "2025-02-05T21:49:39Z",
   "aliases": [],
   "summary": "Better Auth URL parameter HTML Injection (Reflected Cross-Site scripting)",
-  "details": "### Summary\nThe better-auth `/api/auth/error` page was vulnerable to HTML injection, resulting in a reflected cross-site scripting (XSS) vulnerability.\n\n### Details\nThe value of `error` URL parameter was reflected as HTML on the error page: https://github.com/better-auth/better-auth/blob/05ada0b79dbcac93cc04ceb79b23ca598d07830c/packages/better-auth/src/api/routes/error.ts#L81\n\n### PoC\n\nhttps://demo.better-auth.com/api/auth/error?error=%3Cscript%3Ealert(1)%3C/script%3E\n\n![image](https://github.com/user-attachments/assets/35b1b95d-3dc9-45fd-89cd-20cd0361bb6c)\n\n### Impact\nAn attacker who exploited this vulnerability by coercing a user to visit a specially-crafted URL could execute arbitrary JavaScript in the context of the user's browser.\n\nBecause better-auth is a dependency of web applications, the impact of such a vulnerability is unknowable; it depends on the functionality of the application/site using better-auth. I have calculated the CVSS score assuming the hypothetical victim is an administrator with elevated permissions and access.",
+  "details": "### Summary\nThe better-auth `/api/auth/error` page was vulnerable to HTML injection, resulting in a reflected cross-site scripting (XSS) vulnerability.\n\n### Details\nThe value of `error` URL parameter was reflected as HTML on the error page: https://github.com/better-auth/better-auth/blob/05ada0b79dbcac93cc04ceb79b23ca598d07830c/packages/better-auth/src/api/routes/error.ts#L81\n\n### Impact\nAn attacker who exploited this vulnerability by coercing a user to visit a specially-crafted URL could execute arbitrary JavaScript in the context of the user's browser.",
   "severity": [
     {
-      "type": "CVSS_V3",
-      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:N"
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"
     }
   ],
   "affected": [
@@ -55,7 +55,7 @@
     "cwe_ids": [
       "CWE-79"
     ],
-    "severity": "CRITICAL",
+    "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2025-02-05T21:49:39Z",
     "nvd_published_at": null

advisories/github-reviewed/2025/02/GHSA-vp58-j275-797x/GHSA-vp58-j275-797x.json

@@ -1,15 +1,15 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-vp58-j275-797x",
-  "modified": "2025-03-03T13:44:59Z",
+  "modified": "2025-12-09T16:27:07Z",
   "published": "2025-02-24T20:49:50Z",
   "aliases": [],
   "summary": "Better Auth allows bypassing the trustedOrigins Protection which leads to ATO",
-  "details": "### Summary\nA bypass was found for **wildcard** or **absolute URLs** trustedOrigins configurations and opens the victims website to a **Open Redirect** vulnerability, where it can be used to steal the **reset password token** of a victims account by changing the \"callbackURL\" parameter value to a website owned by the attacker.\n\n### Details\n\n#### Absolute URLs\n\nThe issue here appears in the **middleware**,  [specifically](https://github.com/better-auth/better-auth/blob/ddebd0358d74376ea64541512d0167dd4377f182/packages/better-auth/src/api/middlewares/origin-check.ts#L53). This protection is not sufficiente and it allows attackers to exploit a open redirect vulnerability, by using the payload `/\\/example.com`. We can check this is a valid URL ( or it will be a valid URL because the URL parser fix it for us ), by checking the image bellow:\n\n![image](https://github.com/user-attachments/assets/d192f06d-358d-4612-97d9-cab89ba55b06)\n\n```typescript\n// trustedOrigins = [ \"https://example.com\" ]\nvalidateURL(\"https://attacker.com\", \"callbackURL\") // ❌ APIError, No Redirect\nvalidateURL(\"/\\/attacker.com\", \"callbackURL\")       // ✅ Redirect to http://attacker.com\n```\n\n#### Regex\n\nThe issue here is because the regex is not strong enough `[^/\\\\]*?\\.example\\.com[/\\\\]*?` ( this is the regex it will be created if we have a wildcard as the trustedOrigins config ), but we can bypass by using a payload like:\n\n```text\n// trustedOrigins = [ \"*.example.com\" ]\n  ┌──────────────────┐       ┌────────────────┐       ┌─────────────────┐\n  │ None of [ \"/\\\" ] │ ────▶ │ \".example.com\" │ ────▶ │ One of [ \"/\\\" ] │\n  └──────────────────┘       └────────────────┘       └─────────────────┘\n          demo                  .example.com                    /               ✅ Redirect to https://example.com\n          demo                  .attacker.com                   /               ❌ APIError, no redirect\n   http:attacker.com?           .example.com                    /               ✅ Redirect to http://attacker.com\n````\n\nThis works because **:** and **?** are special chars in a URL, so when the URL parser sees, **http:** it will fix our happily fix our URL to http://attacker.com? and make  `.example.com` as parameter, thus, bypassing this check.\n\n### PoC\nWe can PoC the open redirect by using the `demo.better-auth.com`. \nIf we access the URL bellow, we are redirected to example.com:\n- https://demo.better-auth.com/api/auth/reset-password/x?callbackURL=/\\/example.com\n\n### Impact\nEvery single website using the **better-auth** library, is vulnerable to un-auth open redirect and more importantilly, vulnerable to potential one click account take over vulnerability, as the attacker can send the victim a email to reset their account while changing the \"redirectTo\" parameter [here](https://demo.better-auth.com/forget-password), and when the victim clicks on the link, the reset token is sent to the attackers website, which then a attacker could use that token to reset the password of the victims account.",
+  "details": "### Summary\n\nA bypass was discovered in the trustedOrigins validation logic—affecting both absolute URL entries and wildcard domain patterns. This flaw allows an attacker to construct a malicious callbackURL that passes origin checks and triggers an open redirect.\n\nBecause redirect endpoints include sensitive tokens (such as password-reset tokens), this vulnerability can enable one-click account takeover if a victim clicks a crafted link.",
   "severity": [
     {
-      "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N"
     }
   ],
   "affected": [
@@ -58,7 +58,7 @@
     "cwe_ids": [
       "CWE-601"
     ],
-    "severity": "CRITICAL",
+    "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2025-02-24T20:49:50Z",
     "nvd_published_at": null