better-auth
16 known vulnerabilities · 0 critical · 0 high
Better Auth affected by external request basePath modification DoS
Better Auth: Unauthenticated API key creation through api-key plugin
Better Auth Open Redirect Vulnerability in originCheck Middleware Affects Multiple Routes
Better Auth URL parameter HTML Injection (Reflected Cross-Site scripting)
Better Auth has an Open Redirect Vulnerability in Verify Email Endpoint
Better Auth allows bypassing the trustedOrigins Protection which leads to ATO
Better Auth: Device authorization approve and deny accept any authenticated session while the user code is pending
Better Auth's multi-session sign-out hook allows forged cookies to revoke arbitrary sessions
Better Auth's rou3 Dependency has Double-Slash Path Normalization which can Bypass disabledPaths Config and Rate Limits
Better Auth Has Two-Factor Authentication Bypass via Premature Session Caching (session.cookieCache)
Better Auth: OAuth callback accepts mismatched `state` when cookie-backed state storage is used without PKCE
Beter Auth has an Open Redirect via Scheme-Less Callback Parameter
Better Auth: Rate limiter keys IPv6 addresses individually and is bypassable via prefix rotation
Malicious code in better-auth-nuxt (npm)
Malicious code in @silgi/better-auth (npm)
Malicious code in @mastra/auth-better-auth (npm)