GHSA-99h5-pjcv-gr6v: 
Better Auth vulnerability analysis and mitigation

Better Auth, an authentication and authorization library for TypeScript, was found to contain a critical authentication bypass vulnerability (GHSA-99h5-pjcv-gr6v/CVE-2025-61928) affecting versions prior to 1.3.26. The vulnerability was discovered by ZeroPath and disclosed on October 9, 2025. The issue allows unauthenticated attackers to create or modify API keys for any user by exploiting a flaw in the authentication logic of the api-key plugin (GitHub Advisory, NVD).

The vulnerability exists in the authentication logic when checking for user authentication. The code derives the user as session?.user ?? (authRequired ? null : { id: ctx.body.userId }). When no session exists but userId is present in the request body, authRequired becomes false and the user object is set to the attacker-controlled ID. Server-only field validation only executes when authRequired is true, allowing attackers to set privileged fields. The vulnerability received a CVSS v4.0 base score of 9.3 (Critical) with vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N (GitHub Advisory).

This critical authentication bypass enables an unauthenticated attacker to generate an API key for any user and immediately gain complete authenticated access. The attacker can perform any action as the victim user using the API key, potentially compromising user data and the application depending on the victim's privileges (GitHub Advisory).

The vulnerability has been patched in version 1.3.26 of Better Auth. Users should upgrade to this version or later to protect against this authentication bypass vulnerability (NVD).