GHSA-hq75-xg7r-rx6c: 
JavaScript vulnerability analysis and mitigation

The vulnerability (GHSA-hq75-xg7r-rx6c) affects the better-call npm package versions <= 1.0.11, with a patched version available in 1.0.12. This moderate severity vulnerability was published on July 11, 2025, and involves a routing bug that can lead to cache deception attacks (GitHub Advisory).

The vulnerability stems from insufficient path sanitization in the request processing logic. The library splits the path using config.basePath without proper validation of remaining path components. The problematic code processes requests by splitting URL paths without adequate security checks: const path = config?.basePath ? url.pathname.split(config.basePath)[1] : url.pathname. This implementation allows specially crafted requests that appear as static assets to bypass CDN cache exclusion rules while accessing sensitive data. The vulnerability has a CVSS v4 base score of 4.9 (Moderate) with Network attack vector, Low attack complexity, and High confidentiality impact (GitHub Advisory).

When exploited, this vulnerability can lead to unauthorized access to user sessions and personal data through cache deception attacks. The primary risk occurs when cached responses containing sensitive information are served to other users, particularly in environments where CDN caching is enabled (GitHub Advisory).

Users should upgrade to version 1.0.12 or later which contains the patch for this vulnerability. The fix was implemented to properly handle duplicate base paths in the router (GitHub Commit).