4 matches found
Authorization Bypass Through User-Controlled Key
Overview @better-auth/passkey is a Passkey plugin for Better Auth Affected versions of this package are vulnerable to Authorization Bypass Through User-Controlled Key via a POST /passkey/delete-passkey request. An attacker can delete arbitrary passkeys belonging to other users by providing their...
EUVD-2025-199652
Better Auth Passkey Plugin allows passkey deletion through IDOR...
GHSA-4VCF-Q4XF-F48M Better Auth Passkey Plugin allows passkey deletion through IDOR
Summary Affected versions of the better-auth passkey plugin allow users with any valid session to delete arbitrary passkeys via their ID using POST /passkey/delete-passkey. Details ctx.body.id is implicitly trusted and used in passkey deletion queries. better-auth applications configured with...
Better Auth Passkey Plugin allows passkey deletion through IDOR
Summary Affected versions of the better-auth passkey plugin allow users with any valid session to delete arbitrary passkeys via their ID using POST /passkey/delete-passkey. Details ctx.body.id is implicitly trusted and used in passkey deletion queries. better-auth applications configured with...