@better-auth/sso is vulnerable to Improper Authentication
81
High Risk
The @better-auth/sso plugin contains several flaws that each let an SSO sign-in be trusted for an identity it should not represent, when users can self-register providers and implicit account linking is enabled. Domain verification proves one hostname but trusts a comma- or URL-embedded second hostname at sign-in, deleting a provider leaves its linked accounts behind so a freed provider id can be re-registered to assert a victim's identifier, SAML assertions are accepted without validating the audience, recipient, or destination that bind them to this service provider, and the SAML single-logout endpoint builds an auto-submitting form whose action scheme is unchecked so a javascript: location runs script in the auth origin. Together these let an attacker obtain a session as another user, including organization owners or admins, and in the logout case execute reflected script. The fix requires DNS proof for every listed hostname, removes linked accounts on provider deletion, validates the SAML assertion audience, and restricts the logout form action to http and https URLs.
You are affected if you are using a version that falls within the vulnerable range and you let users register SSO providers themselves with implicit account linking enabled.
@better-auth/sso is vulnerable to Improper Authentication in versions 0.0.1 - 1.6.20.
Upgrade the @better-auth/sso library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant