Headline
GHSA-36rg-gfq2-3h56: Better Auth Open Redirect Vulnerability in originCheck Middleware Affects Multiple Routes
Summary
An open redirect has been found in the originCheck middleware function, which affects the following routes: /verify-email, /reset-password/:token, /delete-user/callback, /magic-link/verify, /oauth-proxy-callback.
Details
In the matchesPattern function, url.startsWith( can be deceived with a url that starts with one of the trustedOrigins.
const matchesPattern = (url: string, pattern: string): boolean => {
if (url.startsWith("/")) {
return false;
}
if (pattern.includes("*")) {
return wildcardMatch(pattern)(getHost(url));
}
return url.startsWith(pattern);
};
Open Redirect PoCs
export const auth = betterAuth({
baseURL: 'http://localhost:3000',
trustedOrigins: [
"http://trusted.com"
],
emailAndPassword: {
...
},
})
/reset-password/:token
<img width="481" alt="image" src="https://github.com/user-attachments/assets/46e7871a-1dad-4375-af94-0446e29aaab6" /> <br/> <img width="518" alt="image 1" src="https://github.com/user-attachments/assets/83abfb53-6fc9-4d1f-918d-9b4ce093c808" />
/verify-email
<img width="549" alt="image" src="https://github.com/user-attachments/assets/7dd424b7-42a4-4616-aa73-fcc2e3eeb309" /> <br/> <img width="436" alt="image" src="https://github.com/user-attachments/assets/54f11636-0a3e-4e83-9a09-57c5e8ba98cd" />
/delete-user/callback
<img width="545" alt="image" src="https://github.com/user-attachments/assets/2ff1b217-d069-48fb-81c1-f8c8792d34a4" /> <br/> <img width="492" alt="image" src="https://github.com/user-attachments/assets/71df11db-9d38-4f34-abe1-add9d60b3486" />
/magic-link/verify
<img width="379" alt="image" src="https://github.com/user-attachments/assets/6b6b6a8a-59b6-4a65-9df3-57d5b2f6eb0f" /> <br/> <img width="413" alt="image" src="https://github.com/user-attachments/assets/82a5c9c6-2ea0-44eb-af48-40732657b59e" />
/oauth-proxy-callback
<img width="548" alt="image" src="https://github.com/user-attachments/assets/d8d2ee51-e9fd-4337-bec3-a70afd1ceacb" /> <br/> <img width="544" alt="image" src="https://github.com/user-attachments/assets/f097d406-b965-4f85-b124-9b0ef1cc2689" />
Impact
Untrusted open redirects in various routes.
Summary
An open redirect has been found in the originCheck middleware function, which affects the following routes: /verify-email, /reset-password/:token, /delete-user/callback, /magic-link/verify, /oauth-proxy-callback.
Details
In the matchesPattern function, url.startsWith( can be deceived with a url that starts with one of the trustedOrigins.
const matchesPattern \= (url: string, pattern: string): boolean \=> {
if (url.startsWith("/")) {
return false;
}
if (pattern.includes("\*")) {
return wildcardMatch(pattern)(getHost(url));
}
return url.startsWith(pattern);
};
Open Redirect PoCs
export const auth = betterAuth({ baseURL: 'http://localhost:3000’, trustedOrigins: [ “http://trusted.com” ], emailAndPassword: { … }, })
/reset-password/:token
/verify-email
/delete-user/callback
/magic-link/verify
/oauth-proxy-callback
Impact
Untrusted open redirects in various routes.
References
- GHSA-36rg-gfq2-3h56
- https://nvd.nist.gov/vuln/detail/CVE-2025-53535
- better-auth/better-auth@9801d1b