CVE-2025-53535
Awaiting Analysis Awaiting Analysis - Queue
BaseFortify

Publication date: 2025-07-07

Last updated on: 2025-07-08

Assigner: GitHub, Inc.

Description
Better Auth is an authentication and authorization library for TypeScript. An open redirect has been found in the originCheck middleware function, which affects the following routes: /verify-email, /reset-password/:token, /delete-user/callback, /magic-link/verify, /oauth-proxy-callback. This vulnerability is fixed in 1.2.10.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-07-07
Last Modified
2025-07-08
Generated
2026-05-07
AI Q&A
2025-07-07
EPSS Evaluated
2026-05-05
NVD
CVE-2025-53535
EUVD
EUVD-2025-20283
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-601 The web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a redirect.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2025-53535 is an open redirect vulnerability in the originCheck middleware of the Better Auth library for TypeScript. The issue arises because the function that validates URLs uses a simple 'startsWith' check to verify if a URL matches a trusted origin. This check can be bypassed by crafting malicious URLs that appear to start with a trusted origin but actually redirect users to untrusted, potentially harmful sites. This affects several routes like /verify-email and /reset-password/:token, allowing attackers to redirect users to malicious websites. [1]


How can this vulnerability impact me? :

This vulnerability can lead to users being redirected to malicious websites without their knowledge when interacting with affected routes in the Better Auth library. Such open redirects can be exploited for phishing attacks, stealing user credentials, or delivering malware, thereby compromising user security and trust. [1]


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability can be detected by testing the affected routes (/verify-email, /reset-password/:token, /delete-user/callback, /magic-link/verify, /oauth-proxy-callback) for open redirect behavior. You can attempt to access these endpoints with URLs crafted to bypass the originCheck middleware, such as URLs that start with a trusted origin string but redirect to an untrusted site. For example, using curl commands to test redirection responses: curl -v 'https://yourdomain.com/verify-email?redirect=https://trusted.com.evil.com' and observe if the redirect occurs to an untrusted domain. Automated scanning tools or custom scripts can be used to detect open redirects by sending payloads that exploit the insufficient url.startsWith(pattern) check. [1]


What immediate steps should I take to mitigate this vulnerability?

The immediate mitigation step is to upgrade the better-auth package to version 1.2.10 or later, where the vulnerability is fixed. Until the upgrade can be applied, consider implementing additional validation on redirect URLs to ensure they exactly match trusted origins rather than using startsWith checks, or temporarily disable the affected routes if possible to prevent exploitation. [1]


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart