EUVD-2026-33073

Better Auth is an authentication and authorization library for TypeScript. Prior to 1.4.17 and 1.5.0-beta.9, Better Auth's HTTP rate limiter keyed each request by the exact textual IP address it received in x-forwarded-for or the configured IP-bearing header. IPv6 clients controlling a typical /6...

NPM: Better Auth: Rate limiter keys IPv6 addresses individually and is bypassable via prefix rotation

NPM: Better Auth: Rate limiter keys IPv6 addresses individually and is bypassable via prefix rotation vulnerability discovered by ? in WordPress Npm better-auth versions 1.4.17...

GHSA-P6V2-XCPG-H6XW Better Auth: Rate limiter keys IPv6 addresses individually and is bypassable via prefix rotation

Am I affected? Users are affected if all of the following are true: - Their app uses better-auth at a version 1.4.17, or at a v1.5 prerelease tagged = 1.5.0-beta.8. - The apps authentication endpoints serve clients reachable over IPv6. Most managed hosts including Cloudflare, Vercel, Fly.io, AWS...

GHSA-WXW3-Q3M9-C3JR Better Auth: OAuth callback accepts mismatched `state` when cookie-backed state storage is used without PKCE

Am I affected? Users are affected if all of the following are true: - The application uses better-auth at a version below 1.6.2 or @better-auth/sso paired with such a version. - betterAuth account: storeStateStrategy is set to "cookie". The default "database" is not affected. - The application...

Better Auth 安全漏洞

Better Auth is an open-source TypeScript framework for authentication. Versions of Better Auth prior to 1.6.5 contained a security vulnerability. This vulnerability stemmed from the clientPrivileges option recording creation operations. However, the OAuth client did not call the hook before...

@alstar/studio (=0.0.0-beta.20), @better-auth/cli (>=1.3.4 <=1.4.0-beta.28) +16 more potentially affected by unknown CVE via better-auth (>=1.3.34 <=1.4.0-beta.9)

better-auth NPM version =1.3.34, =1.3.4, =0.18.9, =0.5.2, =7.0.9-canary.2, =7.0.9-canary.2, =0.1.8, =0.1.0, =0.0.22, =0.10.0, =0.11.1-canary.15, =0.8.2, =0.0.10, =1.0.0, =1.0.4, =3.0.0 and more Source cves: unknown CVE Source advisory: OSV:GHSA-WMJR-V86C-M9JJ...

Better Auth Passkey Plugin allows passkey deletion through IDOR

Summary Affected versions of the better-auth passkey plugin allow users with any valid session to delete arbitrary passkeys via their ID using POST /passkey/delete-passkey. Details ctx.body.id is implicitly trusted and used in passkey deletion queries. better-auth applications configured with...