Better Auth URL parameter HTML Injection (Reflected Cross-Site scripting)

GHSA-9x4v-xfq5-m8x5

Published Feb 5, 2025 · Modified Dec 9, 2025

Description

Summary

The better-auth /api/auth/error page was vulnerable to HTML injection, resulting in a reflected cross-site scripting (XSS) vulnerability.

Details

The value of error URL parameter was reflected as HTML on the error page: https://github.com/better-auth/better-auth/blob/05ada0b79dbcac93cc04ceb79b23ca598d07830c/packages/better-auth/src/api/routes/error.ts#L81

Impact

An attacker who exploited this vulnerability by coercing a user to visit a specially-crafted URL could execute arbitrary JavaScript in the context of the user's browser.

References

WEB https://github.com/better-auth/better-auth/security/advisories/GHSA-9x4v-xfq5-m8x5
WEB https://github.com/better-auth/better-auth/commit/7ae340e2eddad641b7e43d24d37c58a66ce9ddcf
PACKAGE https://github.com/better-auth/better-auth
WEB https://github.com/better-auth/better-auth/blob/05ada0b79dbcac93cc04ceb79b23ca598d07830c/packages/better-auth/src/api/routes/error.ts#L81

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes