UNKNOWN npm
Better Auth Open Redirect Vulnerability in originCheck Middleware Affects Multiple Routes
GHSA-36rg-gfq2-3h56 · CVE-2025-53535
Published · Modified
Description
Summary
An open redirect has been found in the originCheck middleware function, which affects the following routes: /verify-email, /reset-password/:token, /delete-user/callback, /magic-link/verify, /oauth-proxy-callback.
Details
In the matchesPattern function, url.startsWith( can be deceived with a url that starts with one of the trustedOrigins.
const matchesPattern = (url: string, pattern: string): boolean => {
if (url.startsWith("/")) {
return false;
}
if (pattern.includes("*")) {
return wildcardMatch(pattern)(getHost(url));
}
return url.startsWith(pattern);
};
Open Redirect PoCs
export const auth = betterAuth({
baseURL: 'http://localhost:3000',
trustedOrigins: [
"http://trusted.com"
],
emailAndPassword: {
...
},
})
/reset-password/:token
/verify-email
/delete-user/callback
/magic-link/verify
/oauth-proxy-callback
Impact
Untrusted open redirects in various routes.
References
Ready to move
Start Securing
Free, no credit card | First findings in minutes