DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-86J7-9J95-VPQJ: GHSA-86J7-9J95-VPQJ: Stored Cross-Site Scripting in Better Auth Plugins via Malicious Redirect URIs

GHSA-86J7-9J95-VPQJ: Stored Cross-Site Scripting in Better Auth Plugins via Malicious Redirect URIs

Vulnerability ID: GHSA-86J7-9J95-VPQJ
CVSS Score: 8.8
Published: 2026-07-07

A stored cross-site scripting vulnerability exists in the oidc-provider and mcp plugins of Better Auth. Attackers can register malicious clients with javascript: redirect URIs, leading to origin takeover when users authorize the client.

TL;DR

Stored XSS in Better Auth plugins allows attackers to execute arbitrary JavaScript in the authentication server's origin via malicious redirect URIs.


⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-79
  • Attack Vector: Network (AV:N)
  • CVSS: 8.8
  • EPSS: N/A
  • Impact: Origin Compromise (Stored XSS)
  • Exploit Status: PoC Available
  • KEV Status: Not Listed

Affected Systems

  • Better Auth oidc-provider plugin
  • Better Auth mcp plugin
  • better-auth: < 1.6.13 (Fixed in: 1.6.13)

Code Analysis

Commit: be32012

Consolidate safe URL scheme checks and validate redirect URIs in oidc-provider and mcp plugins.

Exploit Details

Mitigation Strategies

  • Upgrade to version 1.6.13 or 1.7.0-beta.4 immediately.
  • Migrate from deprecated oidc-provider and mcp plugins to @better-auth/oauth-provider.
  • Deploy a strict Content Security Policy (CSP) to restrict JavaScript scheme executions.

Remediation Steps:

  1. Identify applications running better-auth versions prior to 1.6.13.
  2. Run 'npm install better-auth@1.6.13' or upgrade your lockfile.
  3. If using v1.7 pre-releases, upgrade to 'v1.7.0-beta.4' or newer.
  4. Restart the authentication service and verify client registrations block 'javascript:' URIs.

References


Read the full report for GHSA-86J7-9J95-VPQJ on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)