GHSA-99h5-pjcv-gr6v

Suggest an improvement
Source
https://github.com/advisories/GHSA-99h5-pjcv-gr6v
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-99h5-pjcv-gr6v/GHSA-99h5-pjcv-gr6v.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-99h5-pjcv-gr6v
Aliases
Published
2025-10-09T15:40:50Z
Modified
2025-12-09T16:32:58.358556Z
Severity
  • 8.6 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L CVSS Calculator
Summary
Better Auth: Unauthenticated API key creation through api-key plugin
Details

Summary

A critical authentication bypass was identified in the API key creation and update endpoints. An attacker could create or modify API keys for arbitrary users by supplying a victim’s user ID in the request body. Due to a flaw in how the authenticated user was derived, the endpoints could treat attacker-controlled input as an authenticated user object under certain conditions.

Details

The vulnerability originated from fallback logic used when determining the current user. When no session was present, the handler incorrectly allowed request-body data to populate the user context used for authorization decisions. Because server-side validation only executed when authentication was required, privileged fields were not properly protected. As a result, the API accepted unauthenticated requests that targeted other users.

This same pattern affected both the API key creation and update routes.

Impact

Unauthenticated attackers could generate or modify API keys belonging to any user. This granted full authenticated access as the targeted user and, depending on the user’s privileges, could lead to account compromise, access to sensitive data, or broader application takeover.

Database specific 
{
    "nvd_published_at": "2025-10-09T22:15:32Z",
    "github_reviewed_at": "2025-10-09T15:40:50Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-285",
        "CWE-306"
    ]
}
References

Affected packages

npm / better-auth

Package

Name
better-auth
View open source insights on deps.dev
Purl
pkg:npm/better-auth

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.3.26

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-99h5-pjcv-gr6v/GHSA-99h5-pjcv-gr6v.json"