cbcvebase.
CVE-2025-61928
published 2025-10-09

CVE-2025-61928: Better Auth is an authentication and authorization library for TypeScript. In versions prior to 1.3.26, unauthenticated attackers can create or modify API keys…

PriorityP179critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
18.01%
96.8th percentile
Better Auth is an authentication and authorization library for TypeScript. In versions prior to 1.3.26, unauthenticated attackers can create or modify API keys for any user by passing that user's id in the request body to the `api/auth/api-key/create` route. `session?.user ?? (authRequired ? null : { id: ctx.body.userId })`. When no session exists but `userId` is present in the request body, `authRequired` becomes false and the user object is set to the attacker-controlled ID. Server-only field validation only executes when `authRequired` is true (lines 280-295), allowing attackers to set privileged fields. No additional authentication occurs before the database operation, so the malicious payload is accepted. The same pattern exists in the update endpoint. This is a critical authentication bypass enabling full an unauthenticated attacker can generate an API key for any user and immediately gain complete authenticated access. This allows the attacker to perform any action as the victim user using the api key, potentially compromise the user data and the application depending on the victim's privileges. Version 1.3.26 contains a patch for the issue.

Affected

2 ranges
VendorProductVersion rangeFixed in
better-authbetter-auth< 1.3.261.3.26
better-authbetter-auth>= 0 < 1.3.261.3.26

Detection & IOCsextracted from sources · hover to see the quote

path/api/auth/api-key/create
urlzeropath.com/blog/breaking-authentication-unauthenticated-api-key-creation-in-better-auth-cve-2025-61928
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS better-auth Unauthenticated API Key Creation (CVE-2025-61928)"; flow:established,to_server; http.uri; content:"/api/auth/api-key/create"; fast_pattern; startswith; http.request_body; content:"|22|userId|22|"; content:"|22|name|22|"; http.method; content:"POST"; reference:url,zeropath.com/blog/breaking-authentication-unauthenticated-api-key-creation-in-better-auth-cve-2025-61928; reference:cve,2025-61928; classtype:web-application-attack; sid:2065283; rev:1; metadata:attack_target Server, tls_state TLSDecrypt, created_at 2025_10_21, cve CVE_2025_61928, deployment Perimeter, deployment Internal, deployment SSLDecrypt, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_10_21, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Detect unauthenticated POST requests to /api/auth/api-key/create that include a 'userId' field in the JSON request body but carry no session cookie/token — this is the core exploit pattern for CVE-2025-61928.
  • Alert on HTTP POST request bodies containing both the byte sequence for '"userId"' (|22|userId|22|) and '"name"' (|22|name|22|) to the /api/auth/api-key/create URI, as used in the Emerging Threats Snort rule (sid:2065283).
  • The same authentication bypass pattern exists in the API key update endpoint — monitor for unauthenticated requests with attacker-supplied userId to the update route as well.
  • When no session exists but userId is present in the request body, authRequired becomes false and server-only field validation is skipped (lines 280-295). Look for requests where session is absent but userId is set in the body as a key indicator of exploitation.
  • ·The vulnerability only affects deployments using the better-auth API keys plugin. Instances not using this plugin are not affected.
  • ·The fix is present in better-auth version 1.3.26 and later. Deployments on versions prior to 1.3.26 are vulnerable.
  • ·The Snort/Suricata rule (sid:2065283) requires TLS decryption to be effective against HTTPS-protected deployments, as indicated by the deployment metadata.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.