AIKIDO-2026-580193
better-auth is vulnerable to Improper Input Validation
46
Medium Risk
This Affects:
better-authTL;DR
The SafeUrlSchema and isSafeUrlScheme helpers validate OAuth redirect URIs that Better Auth provider plugins store and later return to clients. Before the fix, validation relied on URL.canParse, which is missing or throws on some supported runtimes and could disable dangerous-scheme blocking, and SafeUrlSchema accepted redirect URIs containing a fragment component. An attacker who registers or supplies a non-compliant redirect target could bypass scheme or fragment restrictions in affected configurations. The fix uses try/catch URL parsing for runtime safety and rejects redirect URIs that include a fragment per RFC 6749.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range and you use Better Auth OAuth provider plugins or other flows that rely on SafeUrlSchema or isSafeUrlScheme for redirect URI validation.
Background info
better-auth is vulnerable to Improper Input Validation in versions 1.6.13 - 1.6.13.
How to fix this
Upgrade the better-auth library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant