GHSA-86J7-9J95-VPQJ: Stored Cross-Site Scripting in Better Auth Plugins via Malicious Redirect URIs
Vulnerability ID: GHSA-86J7-9J95-VPQJ
CVSS Score: 8.8
Published: 2026-07-07
A stored cross-site scripting vulnerability exists in the oidc-provider and mcp plugins of Better Auth. Attackers can register malicious clients with javascript: redirect URIs, leading to origin takeover when users authorize the client.
TL;DR
Stored XSS in Better Auth plugins allows attackers to execute arbitrary JavaScript in the authentication server's origin via malicious redirect URIs.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-79
- Attack Vector: Network (AV:N)
- CVSS: 8.8
- EPSS: N/A
- Impact: Origin Compromise (Stored XSS)
- Exploit Status: PoC Available
- KEV Status: Not Listed
Affected Systems
- Better Auth oidc-provider plugin
- Better Auth mcp plugin
-
better-auth: < 1.6.13 (Fixed in:
1.6.13)
Code Analysis
Commit: be32012
Consolidate safe URL scheme checks and validate redirect URIs in oidc-provider and mcp plugins.
Exploit Details
- GitHub Security Advisory: Official vulnerability advisory and root cause discussion
Mitigation Strategies
- Upgrade to version 1.6.13 or 1.7.0-beta.4 immediately.
- Migrate from deprecated oidc-provider and mcp plugins to @better-auth/oauth-provider.
- Deploy a strict Content Security Policy (CSP) to restrict JavaScript scheme executions.
Remediation Steps:
- Identify applications running better-auth versions prior to 1.6.13.
- Run 'npm install better-auth@1.6.13' or upgrade your lockfile.
- If using v1.7 pre-releases, upgrade to 'v1.7.0-beta.4' or newer.
- Restart the authentication service and verify client registrations block 'javascript:' URIs.
References
Read the full report for GHSA-86J7-9J95-VPQJ on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)