Open Redirect Vulnerability in Better Auth Authentication Library for TypeScript
CVE-2025-27143

6.9MEDIUM

Key Information:

Vendor

Better-auth

Status
Better-auth
Vendor
CVE Published:
24 February 2025

What is CVE-2025-27143?

The Better Auth library for TypeScript allows open redirect vulnerabilities due to improper validation of the callbackURL parameter in email verification and other endpoints. The flaw allows scheme-less URLs, tricking browsers into treating them as fully qualified URLs, opening the door for attackers to create malicious verification links. When a user clicks such a link, they are redirected to the attacker’s site post verification, potentially compromising sensitive data and leading to phishing attacks. An updated patch to address this issue is included in version 1.1.21.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

better-auth < 1.1.20

References

https://github.com/better-auth/better-auth/security/advis...
x_refsource_CONFIRM
https://github.com/better-auth/better-auth/security/advis...
x_refsource_MISC
https://github.com/better-auth/better-auth/commit/24659ae...
x_refsource_MISC

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.