Better Auth has an Open Redirect Vulnerability in Verify Email Endpoint
Description
An open redirect vulnerability in Better Auth's email verification endpoint allows attackers to redirect users to arbitrary URLs via the callbackURL parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An open redirect vulnerability in Better Auth's email verification endpoint allows attackers to redirect users to arbitrary URLs via the callbackURL parameter.
Vulnerability
Description
Better Auth, a TypeScript authentication library, contains an open redirect vulnerability in its email verification endpoint. The issue affects all versions prior to v1.1.6. The verify email callback endpoint accepts a callbackURL parameter, but unlike other verification methods, email verification only uses a JWT to verify and redirect without proper validation of the target domain. The origin checker is bypassed in this scenario because it only checks for POST requests, leaving the endpoint vulnerable to manipulation [1].
Exploitation
An attacker can exploit this vulnerability by crafting a malicious email verification link that includes a callbackURL parameter pointing to an arbitrary external domain. When a user clicks the link, the library verifies the JWT and then redirects the user to the attacker-controlled URL. No authentication is required to trigger the redirect; the attacker only needs to generate a valid verification link (which may be possible if they can intercept or forge email verification requests) [1].
Impact
Successful exploitation allows an attacker to redirect users to malicious websites, potentially leading to phishing attacks, credential theft, or malware distribution. The open redirect can be used to bypass security controls that rely on domain validation, as the initial request appears to originate from a trusted source [1].
Mitigation
The vulnerability has been patched in Better Auth version 1.1.6. Users are strongly advised to upgrade to this version or later. No workarounds are mentioned in the advisory; upgrading is the recommended course of action [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
better-authnpm | < 1.1.6 | 1.1.6 |
Affected products
2- Range: < 1.1.5
Patches
1deb3d73aea90fix: enforce origin checker for GET methods
1 file changed · +1 −3
packages/better-auth/src/api/middlewares/origin-check.ts+1 −3 modified@@ -2,15 +2,13 @@ import { APIError } from "better-call"; import { createAuthMiddleware } from "../call"; import { wildcardMatch } from "../../utils/wildcard"; import { getHost } from "../../utils/url"; +import type { GenericEndpointContext } from "src/types"; /** * A middleware to validate callbackURL and origin against * trustedOrigins. */ export const originCheckMiddleware = createAuthMiddleware(async (ctx) => { - if (ctx.request?.method !== "POST") { - return; - } const { body, query, context } = ctx; const originHeader = ctx.headers?.get("origin") || ctx.headers?.get("referer") || "";
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-8jhw-6pjj-8723ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-56734ghsaADVISORY
- github.com/better-auth/better-auth/commit/deb3d73aea90d0468d92723f4511542b593e522fghsax_refsource_MISCWEB
- github.com/better-auth/better-auth/security/advisories/GHSA-8jhw-6pjj-8723ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.