ghsa-99h5-pjcv-gr6v
Vulnerability from github
Published
2025-10-09 15:40
Modified
2025-10-13 15:39
Severity ?
9.3 (Critical) - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Summary
Better Auth: Unauthenticated API key creation through api-key plugin
Details

Summary

Unauthenticated attackers can create or modify API keys for any user by passing that user's id in the request body to the api/auth/api-key/create route.

Details

The vulnerability exists in the authentication logic at when checking for user authentication then derives the user as session?.user ?? (authRequired ? null : { id: ctx.body.userId }). When no session exists but userId is present in the request body, authRequired becomes false and the user object is set to the attacker-controlled ID. Server-only field validation only executes when authRequired is true (lines 280-295), allowing attackers to set privileged fields. No additional authentication occurs before the database operation, so the malicious payload is accepted. The same pattern exists in the update endpoint.

PoC

bash curl -X POST http://localhost:3000/api/auth/api-key/create \ -H 'Content-Type: application/json' \ -d '{ "userId": "victim-user-id", "name": "zeropath" }' Response contains the new API key whose userId matches the victim, confirming the bypass.

Impact

This is a critical authentication bypass enabling full an unauthenticated attacker can generate an API key for any user and immediately gain complete authenticated access. This allows the attacker to perform any action as the victim user using the api key, potentially compromise the user data and the application depending on the victim's privileges.

This issue was found by ZeroPath.

Show details on source website

To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "better-auth"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.3.26"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2025-61928"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285",
      "CWE-306"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-10-09T15:40:50Z",
    "nvd_published_at": "2025-10-09T22:15:32Z",
    "severity": "CRITICAL"
  },
  "details": "### Summary\nUnauthenticated attackers can create or modify API keys for any user by passing that user\u0027s id in the request body to the `api/auth/api-key/create` route.\n\n### Details\nThe vulnerability exists in the authentication logic at when checking for user authentication then derives the user as `session?.user ?? (authRequired ? null : { id: ctx.body.userId })`. When no session exists but `userId` is present in the request body, `authRequired` becomes false and the user object is set to the attacker-controlled ID. Server-only field validation only executes when `authRequired` is true (lines 280-295), allowing attackers to set privileged fields. No additional authentication occurs before the database operation, so the malicious payload is accepted. The same pattern exists in the update endpoint.\n\n### PoC\n```bash\ncurl -X POST http://localhost:3000/api/auth/api-key/create \\\n   -H \u0027Content-Type: application/json\u0027 \\\n   -d \u0027{\n         \"userId\": \"victim-user-id\",\n         \"name\": \"zeropath\"\n       }\u0027\n```\nResponse contains the new API key whose userId matches the victim, confirming the bypass. \n\n### Impact\nThis is a critical authentication bypass enabling full an unauthenticated attacker can generate an API key for any user and immediately gain complete authenticated access. This allows the attacker to perform any action as the victim user using the api key, potentially compromise the user data and the application depending on the victim\u0027s privileges.\n\nThis issue was found by [ZeroPath](https://zeropath.com).",
  "id": "GHSA-99h5-pjcv-gr6v",
  "modified": "2025-10-13T15:39:47Z",
  "published": "2025-10-09T15:40:50Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-99h5-pjcv-gr6v"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61928"
    },
    {
      "type": "WEB",
      "url": "https://github.com/better-auth/better-auth/commit/556085067609c508f8c546ceef9003ee8c607d39"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/better-auth/better-auth"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Better Auth: Unauthenticated API key creation through api-key plugin"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.