CVE-2025-27143: 
JavaScript vulnerability analysis and mitigation

Better Auth, an authentication and authorization library for TypeScript, was found vulnerable to an open redirect attack prior to version 1.1.21. The vulnerability exists in the email verification endpoint and any other endpoint that accepts callback URLs. The issue was discovered on February 24, 2025, and is tracked as CVE-2025-27143. This vulnerability is a bypass of a previous fix for CVE-2024-56734 (GitHub Advisory).

The vulnerability stems from improper validation of the callbackURL parameter. While the server blocks fully qualified URLs, it incorrectly allows scheme-less URLs (e.g., //malicious-site.com). When such URLs are processed, browsers interpret them as fully qualified URLs (e.g., https://malicious-site.com), leading to unintended redirection. The vulnerability has been assigned a CVSS v3.1 Base Score of 6.1 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability can be exploited for phishing attacks, malware distribution, or stealing sensitive authentication tokens. When users click on a crafted malicious verification link, they can be automatically redirected to an attacker's website. This could lead to credential theft through fake login pages or potential session hijacking if used in OAuth flows (GitHub Advisory).

The vulnerability has been patched in Better Auth version 1.1.21. The fix includes improved validation of callback URLs using a more strict regex pattern that prevents scheme-less URLs and other potentially malicious patterns. The patch can be found in commits 24659ae and b381cac (GitHub Patch 1, GitHub Patch 2).