CVE-2025-61928

Name of the Vulnerable Software and Affected Versions Better Auth versions prior to 1.3.26

Description Better Auth is an authentication and authorization library for TypeScript. A critical authentication bypass allows unauthenticated attackers to create or modify API keys for any user. This is achieved by sending a request to the /api/auth/api-key/create route with a user ID in the request body. The application logic incorrectly handles the absence of a session, allowing the attacker-controlled userId from the request body to be used to create or modify API keys. Specifically, the code session?.user ?? (authRequired ? null : { id: ctx.body.userId }) sets the user object based on the userId in the request body when no session exists. This bypasses authentication checks and allows the attacker to generate API keys for any user, potentially compromising user data and application functionality. The same issue exists in the update endpoint. It is estimated that over 300,000 projects download this library weekly, potentially making a large number of applications vulnerable.

API Endpoints: /api/auth/api-key/create

Vulnerable Parameters or Variables: userId, ctx.body

Recommendations Update Better Auth to version 1.3.26 or later.