Low severityOSV Advisory· Published Jul 7, 2025· Updated Apr 15, 2026
CVE-2025-53535
CVE-2025-53535
Description
Better Auth is an authentication and authorization library for TypeScript. An open redirect has been found in the originCheck middleware function, which affects the following routes: /verify-email, /reset-password/:token, /delete-user/callback, /magic-link/verify, /oauth-proxy-callback. This vulnerability is fixed in 1.2.10.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
better-authnpm | < 1.2.10 | 1.2.10 |
Affected products
1- Range: feat/2867-oidcprovider-trusted, v0.0.10-beta.1, v0.0.10-beta.10, …
Patches
208d92952ab829801d1be53d9fix(expo): remove duplicated trusted origins
2 files changed · +13 −3
packages/expo/src/expo.test.ts+11 −0 modified@@ -224,4 +224,15 @@ describe("expo with cookieCache", async () => { expires: expect.any(String), }); }); + + it("should add `exp://` to trusted origins", async () => { + vi.stubEnv("NODE_ENV", "development"); + const auth = betterAuth({ + plugins: [expo()], + trustedOrigins: ["http://localhost:3000"], + }); + const ctx = await auth.$context; + expect(ctx.options.trustedOrigins).toContain("exp://"); + expect(ctx.options.trustedOrigins).toContain("http://localhost:3000"); + }); });
packages/expo/src/index.ts+2 −3 modified@@ -13,9 +13,8 @@ export const expo = (options?: ExpoOptions) => { id: "expo", init: (ctx) => { const trustedOrigins = - process.env.NODE_ENV === "development" - ? [...(ctx.trustedOrigins || []), "exp://"] - : ctx.trustedOrigins; + process.env.NODE_ENV === "development" ? ["exp://"] : []; + return { options: { trustedOrigins,
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.