{
  "entrypoint_kind": "endpoint",
  "entrypoint_detail": "POST /api/auth/sso/register -> /api/auth/sign-in/sso -> /api/auth/sso/callback/:providerId with a public-FQDN hostname that resolves to a private IP",
  "service_started": true,
  "healthcheck_passed": true,
  "target_path_reached": true,
  "runtime_stack": [
    "node",
    "better-auth",
    "@better-auth/sso",
    "vitest"
  ],
  "proof_artifacts": [
    "logs/vuln_variant.log",
    "logs/vuln-variant-vuln-test.log",
    "logs/vuln-variant-fixed-test.log",
    "logs/vuln-variant-latest-test.log"
  ],
  "tested_fixed_commit": "37f60cb176cb53147da7dfd5ec15afa5b486e81e",
  "notes": "Vulnerable 1.6.10 reproduced. Fixed 1.6.11 accepted a public-FQDN hostname resolving to a private RFC1918 IP, performed SSRF to the internal address, and reached the callback. Latest 1.6.23 blocked the same hostname via runtime DNS resolution (assertOIDCEndpointsResolvePublic)."
}
