CVE-2024-56734 – Open Redirect Vulnerability in TypeScript's Better Auth Library's Verify Email Endpoint

CVE-2024-56734 refers to an open redirect vulnerability discovered in the verify email endpoint of TypeScript's Better Auth library. All versions prior to v1.1.6 are affected, potentially exposing users to the risk of being redirected to malicious websites. The vulnerability can be exploited when a user clicks on an email verification link generated by the library. The latest patch - version 1.1.6, mitigates this risk.

Origins

The Better Auth library is widely used in TypeScript applications for authentication purposes. Its official repository can be found here: Better Auth Repository. An open redirect issue was reported on the library's GitHub page, triggering a review of the codebase and subsequent patch to fix the issue.

Details of the Vulnerability

The vulnerability lies in the verify email callback endpoint, which takes a callbackURL parameter. This parameter is not adequately validated for secure domain usage. As a result, an attacker can manipulate this parameter to redirect users to an arbitrary URL controlled by the attacker.

The typical code snippet for handling email verifications using JWT in Better Auth looks like this

app.get('/auth/verify_email', (req, res) => {
  betterAuth.verifyEmail(
    req.query.email_token,
    req.query.callbackURL,
    (errors) => {
      if (errors) {
        res.status(401).send(errors);
      } else {
        res.status(200).send('Email verified.');
      }
    }
  );
});

The issue stems from the fact that the origin checker is bypassed in this scenario since it only checks for POST requests. Consequently, the library does not validate the target domain when using email verification links.

Exploiting the Vulnerability

An attacker could exploit the vulnerability by sending phishing emails to unsuspecting users containing a malicious link. Once a user clicks on this link, they could be redirected to an attacker-controlled website to trick them into providing sensitive personal information.

Mitigation

The Better Auth library has released version 1.1.6 to address this issue. Upgrading to this version provides a patch to the open redirect vulnerability. Users are advised to upgrade their projects using the following command:

npm update better-auth

It is also recommended to thoroughly review the existing implementations of Better Auth and make any necessary modifications to ensure safe usage of the library.

References

- Better Auth Repository
- Original GitHub Issue
- NIST CVE-2024-56734

Conclusion

The open redirect vulnerability in TypeScript's Better Auth library's verify email endpoint (CVE-2024-56734) poses a potential risk to users. By upgrading to version 1.1.6, they can ensure their applications are no longer susceptible to malicious redirection. As always, it is crucial to keep dependencies up-to-date and stay informed of potential security issues that could affect a team's applications.

Timeline

Published on: 12/30/2024 17:15:10 UTC