chore(deps): update dependency better-auth to v1.1.21 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
better-auth (source)	1.1.18 -> 1.1.21

GitHub Vulnerability Alerts

CVE-2025-27143

Summary

The application is vulnerable to an open redirect due to improper validation of the callbackURL parameter in the email verification endpoint and any other endpoint that accepts callback url. While the server blocks fully qualified URLs (e.g., https://evil.com), it incorrectly allows scheme-less URLs (e.g., //malicious-site.com). This results in the browser interpreting the URL as https://malicious-site.com, leading to unintended redirection.

bypass for : GHSA-8jhw-6pjj-8723

Affected Versions

All versions prior to 1.1.19

Details

The application’s email verification endpoint (/auth/verify-email) accepts a callbackURL parameter intended to redirect users after successful email verification. While the server correctly blocks fully qualified external URLs (e.g., https://evil.com), it improperly allows scheme-less URLs (e.g., //malicious-site.com). This issue occurs because browsers interpret //malicious-site.com as https://malicious-site.com, leading to an open redirect vulnerability.

An attacker can exploit this flaw by crafting a malicious verification link and tricking users into clicking it. Upon successful email verification, the user will be automatically redirected to the attacker's website, which can be used for phishing, malware distribution, or stealing sensitive authentication tokens.

Impact

Phishing & Credential Theft – Attackers can redirect users to a fake login page, tricking them into entering sensitive credentials, which can then be stolen.

Session Hijacking & Token Theft – If used in OAuth flows, an attacker could redirect authentication tokens to their own domain, leading to account takeover.

GHSA-vp58-j275-797x

Summary

A bypass was found for the security feature trustedOrigins. This works for wild card or absolute URLs trustedOrigins configs and opens the victims website to a Open Redirect vulnerability, where it can be used to steal the reset password token of a victims account by changing the "callbackURL" parameter value to a website owned by the attacker.

Details

Absolute URLs

The issue here appears in the middleware, specifically. This protection is not sufficiente and it allows attackers to get a open redirect, by using the payload /\/example.com. We can check this is a valid URL ( or it will be a valid URL because the URL parser fix it for us ), by checking the image bellow:

// trustedOrigins = [ "https://example.com" ]
validateURL("https://attacker.com", "callbackURL") // ❌ APIError, No Redirect
validateURL("/\/attacker.com", "callbackURL")       // ✅ Redirect to http://attacker.com

Regex

The issue here is because the regex is not strong enough [^/\\]*?\.example\.com[/\\]*? ( this is the regex it will be created if we have a wildcard as config ), but we can bypass by using a payload like:

// trustedOrigins = [ "*.example.com" ]
  ┌──────────────────┐       ┌────────────────┐       ┌─────────────────┐
  │ None of [ "/\" ] │ ────▶ │ ".example.com" │ ────▶ │ One of [ "/\" ] │
  └──────────────────┘       └────────────────┘       └─────────────────┘
          demo                  .example.com                    /               ✅ Redirect to https://example.com
          demo                  .attacker.com                   /               ❌ APIError, no redirect
   http:attacker.com?           .example.com                    /               ✅ Redirect to http://attacker.com

This works because : and ? are special chars in a URL, so when the URL parser sees, http: it will fix our happily fix our URL to http://attacker.com? and make .example.com as parameter, thus, bypassing this check

PoC

We can PoC the open redirect by using the demo.better-auth.com.
If we access the URL bellow, we are redirected to example.com:

• https://demo.better-auth.com/api/auth/reset-password/x?callbackURL=/\/example.com

Impact

Every single website using the better-auth library, is vulnerable to un-auth open redirect and more importantilly, vulnerable to potential one click account take over vulnerability, as the attacker can send the victim a email to reset their account while changing the "redirectTo" parameter here, and when the victim clicks on the link, the reset token is sent to the attackers website, thus making the attacker to use the token stolen and reset the password of the victim.

---

Release Notes

better-auth/better-auth (better-auth)

v1.1.21

Compare Source

   🐞 Bug Fixes

• open-api: Add authentication schemes  -  by @​Bekacru (ee0d6)
• origin-check: Add tests for callback URLs with malicious patterns  -  by @​Bekacru (b381c)

    View changes on GitHub

v1.1.20

Compare Source

   🚀 Features

• email-otp: Add option to set a function to generate OTPs  -  by @​CordlessWool in https://github.com/better-auth/better-auth/issues/1472 (8ba7a)
• sso: Sign in using the providerId  -  by @​kamilkisiela in https://github.com/better-auth/better-auth/issues/1533 (6c67e)

   🐞 Bug Fixes

• Add email verification for in place email updates  -  by @​Bekacru (3ca6c)
• Add callback URL to update email verification link  -  by @​Bekacru (9653f)
• one-tap:
  • Update import path for generateRandomString to fix unsupported crypto import for react native  -  by @​Bekacru (ac848)
  • Remove random string generator for nonce to fix expo client  -  by @​Bekacru (6440a)
• organizaiton:
  • Restrict admins from removing or updating owners or members with creator roles  -  by @​Bekacru in https://github.com/better-auth/better-auth/issues/1520 (28cc6)
• origin-check:
  • Exclude URLs with double slashes  -  by @​Bekacru (d9c57)
  • Prevent URLs with double slashes from being trusted  -  by @​Bekacru (24659)
• session:
  • Include expiresAt in session data for HMAC verification  -  by @​Bekacru (da62e)

    View changes on GitHub

v1.1.19

Compare Source

   🚀 Features

• cli: Add support for auth.server.ts  -  by @​ardasoyturk in https://github.com/better-auth/better-auth/issues/1456 (b9ccf)
• mongodb-adapter: Support custom ID generation in MongoDB adapter  -  by @​Bekacru in https://github.com/better-auth/better-auth/issues/1444 (59990)
• one-tap: Improve Google One Tap integration with JWT verification and improved prompt handling  -  by @​Bekacru in https://github.com/better-auth/better-auth/issues/1452 (8ff19)
• two-factor: Activate two factor with email OTP to avoid Insecure skipVerificationOnEnable  -  by @​GregorWedlich in https://github.com/better-auth/better-auth/issues/1445 (28f18)

   🐞 Bug Fixes

• admin:
  • Impersonate user session expiration  -  by @​Kinfe123 in https://github.com/better-auth/better-auth/issues/1471 (072c5)
  • Unban should reset expiration date and reason  -  by @​Kinfe123 in https://github.com/better-auth/better-auth/issues/1469 (954b1)
• api:
  • Config in getSessionFromCtx overrides query param  -  by @​Kinfe123 in https://github.com/better-auth/better-auth/issues/1496 (261fe)
• auth:
  • Use options.baseURL instead of ctx.baseURL on trusted origins  -  by @​Bekacru (5dfb7)
• db:
  • Normalize email to lowercase in change email verification  -  by @​Bekacru (d80a1)
• email-otp:
  • Don’t save email address as user name  -  by @​benkingcode and benkingcode in https://github.com/better-auth/better-auth/issues/1519 (5f6cb)
• generic-oauth:
  • Support allowDifferentEmails on Generic OAuth Plugin  -  by @​alessandrojean in https://github.com/better-auth/better-auth/issues/1481 (9c3b5)
• jwt-plugin:
  • Include alg in jwks response  -  by @​runreal-warman (459e7)
• oauth:
  • Set tokens on oauth account created during link  -  by @​thiagofelix in https://github.com/better-auth/better-auth/issues/1462 (e5133)
• oidc-plugin:
  • User info endpoint casing to match OIDC spec  -  by @​stephenlacy in https://github.com/better-auth/better-auth/issues/1446 (2ecd3)
  • DeleteVerificationValue call by id  -  by @​runreal-warman (c0bd4)
  • Store and handle nonce value  -  by @​runreal-warman (c39e1)
  • Sub is required /userinfo response  -  by @​runreal-warman in https://github.com/better-auth/better-auth/issues/1504 (8ac1f)
• open-api:
  • Convert path parameters to OpenAPI format  -  by @​Phanuwat-Pao in https://github.com/better-auth/better-auth/issues/1437 (da2fd)
  • Add missing id field in generated OpenAPI for each schema (Models)  -  by @​astahmer in https://github.com/better-auth/better-auth/issues/1491 (add38)
• passkey:
  • Remove client export from the server plugin  -  by @​Bekacru in https://github.com/better-auth/better-auth/issues/1511 (bf47a)

    View changes on GitHub

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.