CVE-2025-61928
published 2025-10-09CVE-2025-61928: Better Auth is an authentication and authorization library for TypeScript. In versions prior to 1.3.26, unauthenticated attackers can create or modify API keys…
PriorityP179critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
18.01%
96.8th percentile
Better Auth is an authentication and authorization library for TypeScript. In versions prior to 1.3.26, unauthenticated attackers can create or modify API keys for any user by passing that user's id in the request body to the `api/auth/api-key/create` route. `session?.user ?? (authRequired ? null : { id: ctx.body.userId })`. When no session exists but `userId` is present in the request body, `authRequired` becomes false and the user object is set to the attacker-controlled ID. Server-only field validation only executes when `authRequired` is true (lines 280-295), allowing attackers to set privileged fields. No additional authentication occurs before the database operation, so the malicious payload is accepted. The same pattern exists in the update endpoint. This is a critical authentication bypass enabling full an unauthenticated attacker can generate an API key for any user and immediately gain complete authenticated access. This allows the attacker to perform any action as the victim user using the api key, potentially compromise the user data and the application depending on the victim's privileges. Version 1.3.26 contains a patch for the issue.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| better-auth | better-auth | < 1.3.26 | 1.3.26 |
| better-auth | better-auth | >= 0 < 1.3.26 | 1.3.26 |
Detection & IOCsextracted from sources · hover to see the quote
urlzeropath.com/blog/breaking-authentication-unauthenticated-api-key-creation-in-better-auth-cve-2025-61928
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS better-auth Unauthenticated API Key Creation (CVE-2025-61928)"; flow:established,to_server; http.uri; content:"/api/auth/api-key/create"; fast_pattern; startswith; http.request_body; content:"|22|userId|22|"; content:"|22|name|22|"; http.method; content:"POST"; reference:url,zeropath.com/blog/breaking-authentication-unauthenticated-api-key-creation-in-better-auth-cve-2025-61928; reference:cve,2025-61928; classtype:web-application-attack; sid:2065283; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_10_21, cve CVE_2025_61928, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_10_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Detect unauthenticated POST requests to /api/auth/api-key/create that include a 'userId' field in the JSON request body but carry no session cookie/token — this is the core exploit pattern for CVE-2025-61928. ↗
- →Alert on HTTP POST request bodies containing both the byte sequence for '"userId"' (|22|userId|22|) and '"name"' (|22|name|22|) to the /api/auth/api-key/create URI, as used in the Emerging Threats Snort rule (sid:2065283).
- →The same authentication bypass pattern exists in the API key update endpoint — monitor for unauthenticated requests with attacker-supplied userId to the update route as well. ↗
- →When no session exists but userId is present in the request body, authRequired becomes false and server-only field validation is skipped (lines 280-295). Look for requests where session is absent but userId is set in the body as a key indicator of exploitation. ↗
- ·The vulnerability only affects deployments using the better-auth API keys plugin. Instances not using this plugin are not affected. ↗
- ·The fix is present in better-auth version 1.3.26 and later. Deployments on versions prior to 1.3.26 are vulnerable. ↗
- ·The Snort/Suricata rule (sid:2065283) requires TLS decryption to be effective against HTTPS-protected deployments, as indicated by the deployment metadata.
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Better Auth: Unauthenticated API key creation through api-key plugin
ghsa·2025-10-09
CVE-2025-61928 [HIGH] CWE-285 Better Auth: Unauthenticated API key creation through api-key plugin
Better Auth: Unauthenticated API key creation through api-key plugin
### **Summary**
A critical authentication bypass was identified in the API key creation and update endpoints. An attacker could create or modify API keys for arbitrary users by supplying a victim’s user ID in the request body. Due to a flaw in how the authenticated user was derived, the endpoints could treat attacker-controlled input as an authenticated user object under certain conditions.
### **Details**
The vulnerability originated from fallback logic used when determining the current user. When no session was present, the handler incorrectly allowed request-body data to populate the user context used for authorization decisions. Because server-side validation only executed when authentication was required, privile
OSV
Better Auth: Unauthenticated API key creation through api-key plugin
osv·2025-10-09
CVE-2025-61928 [HIGH] Better Auth: Unauthenticated API key creation through api-key plugin
Better Auth: Unauthenticated API key creation through api-key plugin
### **Summary**
A critical authentication bypass was identified in the API key creation and update endpoints. An attacker could create or modify API keys for arbitrary users by supplying a victim’s user ID in the request body. Due to a flaw in how the authenticated user was derived, the endpoints could treat attacker-controlled input as an authenticated user object under certain conditions.
### **Details**
The vulnerability originated from fallback logic used when determining the current user. When no session was present, the handler incorrectly allowed request-body data to populate the user context used for authorization decisions. Because server-side validation only executed when authentication was required, privile
Suricata
ET WEB_SPECIFIC_APPS better-auth Unauthenticated API Key Creation (CVE-2025-61928)
suricata·2025-10-21·CVSS 9.3
CVE-2025-61928 [CRITICAL] ET WEB_SPECIFIC_APPS better-auth Unauthenticated API Key Creation (CVE-2025-61928)
ET WEB_SPECIFIC_APPS better-auth Unauthenticated API Key Creation (CVE-2025-61928)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS better-auth Unauthenticated API Key Creation (CVE-2025-61928)"; flow:established,to_server; http.uri; content:"/api/auth/api-key/create"; fast_pattern; startswith; http.request_body; content:"|22|userId|22|"; content:"|22|name|22|"; http.method; content:"POST"; reference:url,zeropath.com/blog/breaking-authentication-unauthenticated-api-key-creation-in-better-auth-cve-2025-61928; reference:cve,2025-61928; classtype:web-application-attack; sid:2065283; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_10_21, cve CVE_2025_61928, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signat
No public exploits indexed.
Wiz
Crying Out Cloud Monthly Newsletter - November | Wiz
blogs_wiz·2025-11-19·CVSS 9.9
CVE-2025-49844 [CRITICAL] Crying Out Cloud Monthly Newsletter - November | Wiz
Welcome back! In this edition, we bring you the latest in cloud security – noteworthy incidents, exclusive data, and crucial vulnerabilities. Let's dive in.
🔍 Highlights
RediShell: Critical RCE Vulnerability in Redis
Wiz Research discovered a critical RCE vulnerability (CVE-2025-49844) affecting Enterprise and Community versions of Redis, Valkey and managed Cloud services (ElastiCache, MemoryStore, Azure Cache). The flaw allows an authenticated user to use a specially crafted Lua script to manipulate the garbage collector, trigger a use-after-free and potentially lead to remote code execution. Since some distributions of Redis are configured without authentication by default, or use default or weak passwords for authentication, customers are advised to prioritize patching Internet-facin
Greynoiseio
NoiseLetter October 2025
blogs_greynoiseio
NoiseLetter October 2025
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Find out immediately if an asset communicates with a malicious IP address
Vulnerability Prioritization Get real-time insight into active exploitation trends to better understand risk and severity
SOC Efficiency Filter out noisy, low priority and false-positive alerts from mass internet scanners
Incident Investigation Add context to incidents to speed the determinations of scope and timelines
Threat Hunting Quickly identify anomalous behavior and enrich your threat hunting campaigns
Why GreyNoise
CVE Disclosure Early Warning Get an early warning when traffic spikes indicate a high likelihood of new disclosures
Compromised Asset Detection Fin
Wiz
GHSA-x732-6j76-qmhm Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz
GHSA-x732-6j76-qmhm Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-x732-6j76-qmhm :
Better Auth vulnerability analysis and mitigation
## Summary
/path
//path
disabledPaths
## Details
Better Auth uses better-call , which internally relies on rou3 for routing. Affected versions of rou3 normalize paths by removing empty segments. As a result:
/sign-in/email
//sign-in/email
///sign-in/email
Vercel with Nextjs (default)
//path
/path
## Fix
Updating rou3 to the latest version resolves the issue:
"rou3": "^0.5.1"
The fix was introduced after that version (commit: https://github.com/h3js/rou3/commit/f60b43fa648399534507c9ac7db36d705b8874c3 )Better Auth recommends:
Upgrading to Better Auth v1.4.5 or later , which includes the updated rou3.
Ensuring the proxy normalizes URLs.
If project maintainers cannot upgrade yet, they can prote
Wiz
GHSA-xg6x-h9c9-2m83 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 9.3
[CRITICAL] GHSA-xg6x-h9c9-2m83 Impact, Exploitability, and Mitigation Steps | Wiz
## GHSA-xg6x-h9c9-2m83 :
Better Auth vulnerability analysis and mitigation
## Summary
## Under certain configurations, sessions may be considered valid before two-factor authentication (2FA) is fully completed. This can allow access to authenticated routes without verifying the second factor.
## Description
## 9.1
Score
Published April 3, 2026
Severity CRITICAL
CNA Score N/A
Affected Technologies
Better Auth
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) N/A
Exploitation Probability (EPSS) N/A
Affected packages and libraries
better-auth
Sources
NVD
npm Severity CRITICAL Has Fix Added at: Apr 05, 2026
## Get a CVE risk assessment
Get a prioritized view of CVEs in your clou
2025-10-09
Published