CVE-2024-56734

{"id": "CVE-2024-56734", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 6.1, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.8}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "NONE", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2024-12-30T17:15:10.133", "references": [{"url": "https://github.com/better-auth/better-auth/commit/deb3d73aea90d0468d92723f4511542b593e522f", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-8jhw-6pjj-8723", "tags": ["Exploit", "Vendor Advisory", "Mitigation"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-601"}]}], "descriptions": [{"lang": "en", "value": "Better Auth is an authentication library for TypeScript. An open redirect vulnerability has been identified in the verify email endpoint of all versions of Better Auth prior to v1.1.6, potentially allowing attackers to redirect users to malicious websites. This issue affects users relying on email verification links generated by the library. The verify email callback endpoint accepts a `callbackURL` parameter. Unlike other verification methods, email verification only uses JWT to verify and redirect without proper validation of the target domain. The origin checker is bypassed in this scenario because it only checks for `POST` requests. An attacker can manipulate this parameter to redirect users to arbitrary URLs controlled by the attacker. Version 1.1.6 contains a patch for the issue."}, {"lang": "es", "value": "Better Auth es una librer\u00eda de autenticaci\u00f3n para TypeScript. Se ha identificado una vulnerabilidad de redirecci\u00f3n abierta en el endpoint de verificaci\u00f3n de correo electr\u00f3nico de todas las versiones de Better Auth anteriores a la v1.1.6, lo que potencialmente permite a los atacantes redirigir a los usuarios a sitios web maliciosos. Este problema afecta a los usuarios que dependen de los enlaces de verificaci\u00f3n de correo electr\u00f3nico generados por la librer\u00eda. El endpoint de devoluci\u00f3n de llamada de verificaci\u00f3n de correo electr\u00f3nico acepta un par\u00e1metro `callbackURL`. A diferencia de otros m\u00e9todos de verificaci\u00f3n, la verificaci\u00f3n de correo electr\u00f3nico solo utiliza JWT para verificar y redirigir sin la validaci\u00f3n adecuada del dominio de destino. El verificador de origen se omite en este escenario porque solo verifica las solicitudes `POST`. Un atacante puede manipular este par\u00e1metro para redirigir a los usuarios a URL arbitrarias controladas por el atacante. La versi\u00f3n 1.1.6 contiene un parche para el problema."}], "lastModified": "2025-10-20T16:15:38.140", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:better-auth:better_auth:*:*:*:*:*:node.js:*:*", "vulnerable": true, "matchCriteriaId": "EA9CEF97-8CA3-4FAA-9D01-B07D1E331658", "versionEndExcluding": "1.1.6"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}