CVE-2025-61928: 
Better Auth vulnerability analysis and mitigation

Better Auth, a popular TypeScript authentication and authorization library with over 1.5 million monthly downloads, was found to contain a critical authentication bypass vulnerability (CVE-2025-61928) discovered in October 2025. The vulnerability affects versions prior to 1.3.26 and received a CVSS v4.0 score of 9.3 (Critical). The flaw allows unauthenticated attackers to create or modify API keys for any user by exploiting a weakness in the authentication logic of the API keys plugin (NVD, SecurityOnline).

The vulnerability exists in the authentication logic where user authentication is checked using the expression session?.user ?? (authRequired ? null : { id: ctx.body.userId }). When no session exists but userId is present in the request body, authRequired becomes false and the user object is set to the attacker-controlled ID. Server-only field validation only executes when authRequired is true, allowing attackers to set privileged fields with no additional authentication checks before database operations. The same vulnerability pattern exists in both the create and update endpoints (GitHub Advisory).

This critical authentication bypass enables unauthenticated attackers to generate API keys for any user, leading to complete authenticated access. Attackers can perform any action as the victim user using the generated API key, potentially compromising user data and applications depending on the victim's privileges. The vulnerability is particularly dangerous as API keys often grant long-lived, elevated privileges for automation (SecurityOnline, CyberSecurityNews).

Users should immediately upgrade to Better Auth version 1.3.26 or later, which contains a patch for the vulnerability. Additionally, it is recommended to rotate all API keys created via the plugin, invalidate unused ones, and audit logs for suspicious unauthenticated requests to create or update endpoints, especially those setting userId or high-privilege values (CyberSecurityNews).

The vulnerability has garnered significant attention in the security community due to Better Auth's widespread adoption, particularly among fast-growing startups and major enterprises, including energy giant Equinor. The maintainers responded swiftly to the disclosure, patching the vulnerability within a week of its discovery (CyberSecurityNews).