A critical security vulnerability has been discovered in the Better Auth library, a popular TypeScript authentication framework. The vulnerability could allow attackers to bypass security measures and potentially take over user accounts.
The vulnerability lies in the trustedOrigins protection feature, which is designed to restrict redirects to trusted websites. However, a bypass has been found that allows attackers to exploit this feature and redirect users to malicious websites.
According to the security advisory: “A bypass was found for the security feature trustedOrigins. This works for wild card or absolute URLs trustedOrigins configs and opens the victims website to a Open Redirect vulnerability, where it can be used to steal the reset password token of a victims account by changing the ‘callbackURL’ parameter value to a website owned by the attacker.”
This vulnerability can be exploited through open redirects, where an attacker crafts a malicious link and sends it to a victim. When the victim clicks on the link, they are redirected to a website controlled by the attacker, potentially allowing the attacker to steal the victim’s reset password token and take over their account.
The vulnerability arises from improper validation of callback URLs in the middleware responsible for handling trustedOrigins. Attackers can craft a malicious payload, such as:
This exploits an issue with how URLs are parsed, allowing an attacker to redirect victims to an external domain. Once the victim follows the link, their password reset token is sent to the attacker’s website, enabling full account compromise.
Another method of exploitation involves the use of weak regex patterns in the library’s trustedOrigins handling: [^/\\]*?\.example\.com[/\\]*?
An attacker can use a payload such as: http:attacker.com?.example.com/
Since : and ? are special characters in URLs, the browser interprets ‘http:’ as part of the URL scheme rather than as plain text, leading to an unintentional redirection to the attacker’s site.
The Better Auth project has released version 1.1.21 to address this vulnerability. All users of the Better Auth library are strongly encouraged to update to the latest version as soon as possible to protect themselves from potential attacks.
