CVE CyberSecurity Database News

CVE-2024-56734 - Open Redirect Vulnerability in Better Auth Email Verification (`<= v1.1.5`)

Poster -

Better Auth is a popular authentication library for TypeScript projects. Recently, a security issue has been discovered: a serious open redirect vulnerability exists in the email verification flow of all versions prior to v1.1.6. This post explains the vulnerability in simple terms, how it works, how attackers can exploit it, and what you can do to stay safe.

What Is an Open Redirect?

An open redirect happens when an app or website lets people send users to any URL they want by manipulating a link or parameter—without checking if the destination is safe. Bad actors can use this trick to send users to phishing sites, download malware, or conduct scams, all while making the user believe they're still on a trusted site.

Details of CVE-2024-56734

Affected library: Better Auth (TypeScript/JavaScript)
Vulnerability: Open Redirect via Email Verification
Patched in: v1.1.6

In Better Auth, when users receive an email to verify their account, the verification link contains a callbackURL parameter. Normally, authentication systems should validate this URL or only redirect to trusted domains. However, in this case, the email verification handler fails to validate the callbackURL parameter at all.

Even worse, the built-in origin checker (designed to protect this kind of stuff) only runs for POST requests, but the email verification happens with a regular GET request. This gap makes it possible to bypass the safety check completely.

Suppose a legitimate site using Better Auth sends this kind of verification email

https://yourapp.com/auth/verify-email?token=abc123&callbackURL=https://yourapp.com/dashboard

A bad actor could change the callbackURL to point to their own malicious site

https://evil.com/phishing" rel="nofollow">https://yourapp.com/auth/verify-email?token=abc123&callbackURL=https://evil.com/phishing

When the user clicks this link, they'll complete the email verification and then immediately be redirected to https://evil.com/phishing—no questions asked!

Why Is This Dangerous?

- Phishing: Attackers can trick users into thinking a link is safe, then send them to fake login pages or scam sites.

Brand trust damage: Users might blame the legitimate site for any losses or issues.

- Social engineering: Sophisticated attackers could chain redirects into more complex attacks (e.g., session hijacking).

Let’s see a simplified snippet showing the broken logic

// In versions < 1.1.6
router.get('/auth/verify-email', async (req, res) => {
    const { token, callbackURL } = req.query;
    try {
        // Verify the token (JWT)
        const user = verifyJwt(token);

        // ...user validated...

        // No validation on callbackURL!
        res.redirect(callbackURL as string);
    } catch (err) {
        res.status(400).send('Invalid verification link');
    }
});

What's missing?
No checks to see if callbackURL is a trusted domain or a safe path.

How Was It Fixed?

In version 1.1.6, Better Auth patched the issue by validating the callbackURL before redirecting. Here’s how it might look after the fix:

const ALLOWED_DOMAINS = ["yourapp.com"];

router.get('/auth/verify-email', async (req, res) => {
    const { token, callbackURL } = req.query;
    try {
        // Verify the token (JWT)
        const user = verifyJwt(token);

        // Validate callbackURL
        const url = new URL(callbackURL as string);
        if (!ALLOWED_DOMAINS.includes(url.hostname)) {
            throw new Error("Invalid redirect domain");
        }

        res.redirect(callbackURL as string);
    } catch (err) {
        res.status(400).send('Invalid verification link');
    }
});

Educate users:

Warn users never to click suspicious verification links, especially if they come from unexpected sources.

Report suspicious emails:

If you see odd-looking verification links, alert your users and encourage them to report phishing attempts.

References & Official Sources

- Official Advisory on GitHub
- npm Security Advisory for better-auth
- OWASP Explanation of Open Redirects

Summary

CVE-2024-56734 in Better Auth allows attackers to redirect users to untrusted websites using manipulated email verification links. This can lead to phishing, scams, and loss of user trust. All users of Better Auth up to v1.1.5 should upgrade to v1.1.6 or later to stay protected.

Timeline

Published on: 12/30/2024 17:15:10 UTC