Horizon Alert
Summary of the vulnerability and why it matters
This advisory addresses a critical security vulnerability in the Better Auth library, which handles authentication and authorization for TypeScript applications. Specifically, certain plugins within the library were found to improperly authenticate OAuth token requests. This could allow an attacker to potentially mint new access tokens, even without possessing all the necessary credentials, by exploiting a flaw in how refresh tokens are verified. The main concern is confirming if our systems utilize the affected components.
- Authentication flaw in token handling.
- Confirms potential for unauthorized token minting.
- Assess relevance and exposure to affected components.
Attack Path
How an attacker could exploit the issue
An attacker could gain unauthorized access by exploiting a weakness in the authentication library's token endpoints. If an attacker possesses a valid refresh token and the correct client ID, they can bypass security checks to issue new access tokens and refresh tokens. This could allow them to impersonate legitimate users or gain elevated privileges within the system.
- Requires a valid refresh token.
- Targets token issuance endpoints.
- Allows access token minting.
Live Threat
Current exploitation, exposure, and threat context
An attacker could exploit this vulnerability to mint unauthorized access and refresh tokens by posing as a legitimate user. This is possible when the legacy oidcProvider and mcp plugins are used, allowing them to bypass authentication controls and potentially gain access to protected resources.
- Authentication tokens and system access.
- Malicious token minting via exposed endpoints.
- Unauthorized access to protected resources.
Operational Fix
Recommended remediation, mitigation, and detection steps
Teams responsible for securing authentication flows, such as application owners or platform teams, should prioritize this issue. The first practical step is to identify all instances of the affected authentication library, determine their reachability and business criticality, and confirm the accountable owner. Once identified and assessed, a remediation plan can be developed based on the associated risk.
- Application or platform teams own the issue.
- Verify library usage and token endpoint exposure.
- Plan remediation based on exposure and criticality.