Open Redirect Vulnerability in Better Auth Authentication Library for TypeScript
CVE-2025-53535

2.1LOW

Key Information:

Vendor: Better-auth
Status: Better-auth
Vendor: CVE Published:; 7 July 2025

🔔 Create Better-auth Vulnerability Alert

What is CVE-2025-53535?

A vulnerability exists in the Better Auth authentication and authorization library for TypeScript, specifically within the originCheck middleware function. This issue leads to open redirects on critical routes including /verify-email, /reset-password/:token, /delete-user/callback, /magic-link/verify, and /oauth-proxy-callback. Users are at risk of being redirected to malicious sites, exposing sensitive user data. The issue is addressed in Better Auth version 1.2.10.

Affected Version(s)

better-auth < 1.2.10

References

https://github.com/better-auth/better-auth/security/advis...

x_refsource_CONFIRM

CVSS V4

Score:

2.1

Severity:

LOW

Confidentiality:

Low

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jul 7, 2025
Vulnerability Reserved
Jul 2, 2025