{"uuid": "a8c163a8-ba38-408b-b235-217de274d94e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-WXW3-Q3M9-C3JR", "type": "seen", "source": "https://gist.github.com/alon710/4cc7bcd5f1c1a36dc5ed49cf14f62cbd", "content": "# GHSA-WXW3-Q3M9-C3JR: GHSA-WXW3-Q3M9-C3JR: Login CSRF via Insufficient OAuth State Verification in Better Auth\n\n> **CVSS Score:** 6.5\n> **Published:** 2026-05-15\n> **Full Report:** https://cvereports.com/reports/GHSA-WXW3-Q3M9-C3JR\n\n## Summary\nBetter Auth's OAuth implementation contains a logic flaw in its handling of the state parameter when utilizing the cookie-backed state storage strategy. The application fails to cryptographically bind the generated OAuth state nonce to the stored session metadata, leading to insufficient verification during the callback phase. This omission permits Login Cross-Site Request Forgery (CSRF) and account association attacks when Proof Key for Code Exchange (PKCE) is disabled.\n\n## TL;DR\nBetter Auth fails to verify the OAuth state parameter during callback processing when using the cookie storage strategy without PKCE, enabling Login CSRF attacks.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-352, CWE-345\n- **Attack Vector**: Network\n- **CVSS Base Score**: 6.5\n- **Impact**: Login CSRF / Account Hijacking\n- **Exploit Status**: Proof of Concept Available\n- **Authentication Required**: None\n\n## Affected Systems\n\n- Applications using `better-auth` with `storeStateStrategy: \"cookie\"` and without PKCE enabled.\n- **better-auth**: < 9deb7936aba7931f2db4b460141f476508f11bfd (Fixed in: `Post-commit 9deb7936aba7931f2db4b460141f476508f11bfd`)\n\n## Mitigation\n\n- Upgrade better-auth to the latest patched version containing the state verification fix.\n- Switch the storeStateStrategy configuration from \"cookie\" to \"database\".\n- Enable Proof Key for Code Exchange (PKCE) across all OAuth clients.\n\n**Remediation Steps:**\n1. Identify all services utilizing the `better-auth` library.\n2. Verify the configured `storeStateStrategy` within the Better Auth initialization block.\n3. If using the `cookie` strategy, update the `better-auth` dependency to the latest release.\n4. Deploy the updated application build.\n5. Ensure `pkce: true` is set in the OAuth configuration block to provide defense-in-depth.\n\n## References\n\n- [GitHub Advisory: Better Auth OAuth callback accepts mismatched state](https://github.com/advisories/GHSA-WXW3-Q3M9-C3JR)\n- [Better Auth Security Advisories](https://github.com/better-auth/better-auth/security)\n- [Fix Commit](https://github.com/better-auth/better-auth/commit/9deb7936aba7931f2db4b460141f476508f11bfd)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-WXW3-Q3M9-C3JR) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-05-15T21:40:29.000000Z"}