DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-WXW3-Q3M9-C3JR: GHSA-WXW3-Q3M9-C3JR: Login CSRF via Insufficient OAuth State Verification in Better Auth

#security #cve #cybersecurity #ghsa

GHSA-WXW3-Q3M9-C3JR: Login CSRF via Insufficient OAuth State Verification in Better Auth

Vulnerability ID: GHSA-WXW3-Q3M9-C3JR
CVSS Score: 6.5
Published: 2026-05-15

Better Auth's OAuth implementation contains a logic flaw in its handling of the state parameter when utilizing the cookie-backed state storage strategy. The application fails to cryptographically bind the generated OAuth state nonce to the stored session metadata, leading to insufficient verification during the callback phase. This omission permits Login Cross-Site Request Forgery (CSRF) and account association attacks when Proof Key for Code Exchange (PKCE) is disabled.

TL;DR

Better Auth fails to verify the OAuth state parameter during callback processing when using the cookie storage strategy without PKCE, enabling Login CSRF attacks.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-352, CWE-345
  • Attack Vector: Network
  • CVSS Base Score: 6.5
  • Impact: Login CSRF / Account Hijacking
  • Exploit Status: Proof of Concept Available
  • Authentication Required: None

Affected Systems

  • Applications using better-auth with storeStateStrategy: "cookie" and without PKCE enabled.
  • better-auth: < 9deb7936aba7931f2db4b460141f476508f11bfd (Fixed in: Post-commit 9deb7936aba7931f2db4b460141f476508f11bfd)

Code Analysis

Commit: 9deb793

Fix OAuth callback accepting mismatched state when cookie-backed state storage is used

Mitigation Strategies

  • Upgrade better-auth to the latest patched version containing the state verification fix.
  • Switch the storeStateStrategy configuration from "cookie" to "database".
  • Enable Proof Key for Code Exchange (PKCE) across all OAuth clients.

Remediation Steps:

  1. Identify all services utilizing the better-auth library.
  2. Verify the configured storeStateStrategy within the Better Auth initialization block.
  3. If using the cookie strategy, update the better-auth dependency to the latest release.
  4. Deploy the updated application build.
  5. Ensure pkce: true is set in the OAuth configuration block to provide defense-in-depth.

References

Read the full report for GHSA-WXW3-Q3M9-C3JR on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)