PT-2026-56298 · Npm · @Better-Auth/Sso
Published
2026-07-07
·
Updated
2026-07-08
·
CVE-2026-53513
CVSS v3.1
9.6
Critical
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
@better-auth/sso versions 0.1.0 through 1.6.10
@better-auth/sso versions 1.7.0-beta.x
Description
An SSRF flaw exists in the provider registration flow where OpenID Connect (OIDC) endpoint URLs are accepted without proper validation. When
skipDiscovery is set to true, the POST /sso/register and POST /sso/update-provider endpoints allow the persistence of attacker-controlled URLs in the oidcConfig.userInfoEndpoint, tokenEndpoint, and jwksEndpoint variables. The server subsequently issues outbound HTTP requests to these URLs during the OIDC callback, reflecting the response body through the user profile. This allows an authenticated user to perform non-blind SSRF to probe internal networks, access cloud metadata services, or reach internal APIs.If the
trustEmailVerified variable is set to true, an attacker can escalate this to account takeover by providing a malicious userInfo response with emailVerified: true and a chosen email, triggering an OAuth auto-link to a pre-existing user account.Recommendations
Upgrade @better-auth/sso to version 1.6.11 or later.
As a temporary workaround, disable provider self-registration by setting
sso({ providersLimit: 0 }).
As a temporary workaround, block POST /sso/register and POST /sso/update-provider at the reverse-proxy level or restrict access to a small list of admin users.
As a temporary workaround, implement network-level egress controls to block requests to RFC 1918, RFC 4193, and link-local ranges, including the cloud-metadata FQDN list.
As a temporary workaround, set trustEmailVerified to false to prevent account takeover escalation.Fix
Insufficient Verification of Data Authenticity
RCE
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
@Better-Auth/Sso