Summary An open redirect has been found in the originCheck middleware function, which affects the following routes: /verify-email, /reset-password/:token, /delete-user/callback, /magic-link/verify, /oauth-proxy-callback. Details In the matchesPattern function, url.startsWith( can be deceived with a url that starts with one of the trustedOrigins. jsx const matchesPattern = (url: string, pattern: string): boolean => { if (url.startsWith("/")) { return false; } if (pattern.includes("*")) { return wildcardMatch(pattern)(getHost(url)); } return url.startsWith(pattern); }; Open Redirect PoCs jsx export const auth = betterAuth({ baseURL: 'https://localhost:3000', trustedOrigins: [ "https://trusted.com" ], emailAndPassword: { … }, }) /reset-password/:token /verify-email /delete-user/callback /magic-link/verify /oauth-proxy-callback Impact Untrusted open redirects in various…Read More
Better Auth Open Redirect Vulnerability in originCheck Middleware Affects Multiple Routes
