Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(deps): update dependency better-auth to v1.1.6 [security] #517

Merged
merged 1 commit into from
Dec 31, 2024
Merged

fix(deps): update dependency better-auth to v1.1.6 [security] #517

merged 1 commit into from
Dec 31, 2024

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Dec 30, 2024

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
better-auth (source) 1.0.20 -> 1.1.6 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2024-56734

Summary

An open redirect vulnerability has been identified in the verify email endpoint of Better Auth, potentially allowing attackers to redirect users to malicious websites. This issue affects users relying on email verification links generated by the library.

Affected Versions

  • All versions prior to v1.1.6.

Impact

Attackers could craft malicious email verification links that exploit the redirect functionality to send users to untrusted domains. This can result in:

  • Phishing attacks – Users may unknowingly enter sensitive information on fake login pages.
  • Reputation damage – Trust issues for applications using Better Auth.

Vulnerability Details

The verify email callback endpoint accepts a callbackURL parameter. Unlike other verification methods, email verification only uses JWT to verify and redirect without proper validation of the target domain. The origin checker is bypassed in this scenario because it only checks for POST requests. An attacker can manipulate this parameter to redirect users to arbitrary URLs controlled by the attacker.

Example Exploit:

https://example.com/auth/verify-email?token=abcd1234&callbackURL=https://malicious-site.com

Patches

Upgrade to Better Auth v1.1.6 or later. This version enforces domain validation for callbackURL for /verify-email path and for all other GET endpoints.

Workarounds

You can also use hooks to pre-check URLs in your auth instance to prevent this without upgrading:

const auth = betterAuth({
    hooks: {
         before: (ctx) => {
            if (ctx.path === "/verify-email") {
               const callbackURL = ctx.query.callbackURL; // Check if this is a trusted callback URL or not
            }
         }
    }
})

Release Notes

better-auth/better-auth (better-auth)

v1.1.6

Compare Source

    🔓 Security Fixes
    View changes on GitHub

v1.1.5

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v1.1.4

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v1.1.3

Compare Source

   🚀 Features
   🐞 Bug Fixes
    View changes on GitHub

v1.1.2

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

v1.1.1

Compare Source

    Refactor (API Change)
  • passkey: Add a credentialID field to replace generated IDs and prevent storing invalid IDs when the ID is database-generated and removes webAuthnUserId since it's duplicate property with userId. If you were using passkeys, migrate to this change by renaming the existing id field to credentialID for existing users. After that, the current webauthnUserID field can be renamed to id (primary key).  -  by @​masterjanic and @​Bekacru in https://github.com/better-auth/better-auth/issues/865 (f3acd)
   🐞 Bug Fixes
    View changes on GitHub

v1.1.0

Compare Source

    🚀 New Features
    ✨ Improvements and API Changes
   🐞 Bug Fixes
    View changes on GitHub

v1.0.22

Compare Source

   🚀 Features
   🐞 Bug Fixes
    View changes on GitHub

v1.0.21

Compare Source

   🐞 Bug Fixes
    View changes on GitHub

Configuration

📅 Schedule: Branch creation - "" in timezone Asia/Shanghai, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the renovate label Dec 30, 2024
@vercel Vercel
Copy link

vercel bot commented Dec 30, 2024
edited
Loading

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name Status Preview Comments Updated (UTC)
shiro ✅ Ready (Inspect) Visit Preview 💬 Add feedback Dec 30, 2024 5:40pm

@github-actions GitHub Actions
Copy link

📦 Next.js Bundle Analysis for Shiro

This analysis was generated by the Next.js Bundle Analysis action. 🤖

🎉 Global Bundle Size Decreased

Page Size (compressed)
global 87.18 KB (🟢 -19 B)
Details

The global bundle is the javascript bundle that loads alongside every page. It is in its own category because its impact is much higher - an increase to its size means that every page on your website loads slower, and a decrease means every page loads faster.

Any third party scripts you have added directly to your app using the <script> tag are not accounted for in this analysis

If you want further insight into what is behind the changes, give @next/bundle-analyzer a try!

@Innei Innei merged commit 5edae6f into main Dec 31, 2024
4 checks passed
@renovate renovate bot deleted the renovate/npm-better-auth-vulnerability branch December 31, 2024 16:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
renovate
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@Innei