PT-2026-41393 · Better Auth+2 · Better Auth
Published
2026-05-15
·
Updated
2026-05-28
·
CVE-2026-45364
CVSS v3.1
7.3
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
Name of the Vulnerable Software and Affected Versions
Better Auth versions prior to 1.4.17
Better Auth versions prior to 1.5.0-beta.9
Description
The HTTP rate limiter in Better Auth identifies requests based on the exact textual IP address found in the
x-forwarded-for header or other configured IP-bearing headers. This implementation allows IPv6 clients with a /64 allocation to rotate through 2^64 distinct source addresses, effectively bypassing rate limits on endpoints such as '/sign-in/email', '/sign-up/email', and '/forget-password'. Additionally, a single client can bypass the limiter by varying the textual encoding of an IPv6 address (e.g., using uppercase, compression, or IPv4-mapped formats) to generate multiple distinct keys. This issue occurs because the getIp() function returns the IP value verbatim and the onRequestRateLimit() function constructs keys via simple string concatenation. This bypass enables unbounded authentication attempts, facilitating credential stuffing, brute-force attacks, and account enumeration.Recommendations
For versions prior to 1.4.17, upgrade to version 1.4.17 or later.
For versions prior to 1.5.0-beta.9, upgrade to version 1.5.0-beta.9 or later.
As a workaround for version 1.4.16, set
advanced.ipAddress.ipv6Subnet: 64 in the configuration.
For versions prior to 1.4.16, configure the IPv6 prefix length to /64 (or coarser) on the upstream CDN, WAF, or load balancer rate-limit policy.
As a partial mitigation for any version, tighten the customRules window for sign-in, sign-up, and password-reset endpoints.Exploit
Fix
Improper Restriction of Excessive Authentication Attempts
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Better Auth