GHSA-9x4v-xfq5-m8x5
Suggest an improvement- Source
- https://github.com/advisories/GHSA-9x4v-xfq5-m8x5
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/02/GHSA-9x4v-xfq5-m8x5/GHSA-9x4v-xfq5-m8x5.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-9x4v-xfq5-m8x5
- Published
- 2025-02-05T21:49:39Z
- Modified
- 2025-12-09T17:35:54.250145Z
- Severity
-
- 5.1 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Better Auth URL parameter HTML Injection (Reflected Cross-Site scripting)
- Details
-
Summary
The better-auth
/api/auth/errorpage was vulnerable to HTML injection, resulting in a reflected cross-site scripting (XSS) vulnerability.Details
The value of
errorURL parameter was reflected as HTML on the error page: https://github.com/better-auth/better-auth/blob/05ada0b79dbcac93cc04ceb79b23ca598d07830c/packages/better-auth/src/api/routes/error.ts#L81Impact
An attacker who exploited this vulnerability by coercing a user to visit a specially-crafted URL could execute arbitrary JavaScript in the context of the user's browser.
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-79" ], "github_reviewed_at": "2025-02-05T21:49:39Z", "severity": "MODERATE", "github_reviewed": true }- References
-
- https://github.com/better-auth/better-auth/security/advisories/GHSA-9x4v-xfq5-m8x5
- https://github.com/better-auth/better-auth/commit/7ae340e2eddad641b7e43d24d37c58a66ce9ddcf
- https://github.com/better-auth/better-auth
- https://github.com/better-auth/better-auth/blob/05ada0b79dbcac93cc04ceb79b23ca598d07830c/packages/better-auth/src/api/routes/error.ts#L81
Affected packages
npm / better-auth
Package
- Name
- better-auth
- View open source insights on deps.dev
- Purl
- pkg:npm/better-auth