Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/812802?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/812802?format=api", "purl": "pkg:npm/better-auth@1.2.5-beta.10", "type": "npm", "namespace": "", "name": "better-auth", "version": "1.2.5-beta.10", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "1.4.9", "latest_non_vulnerable_version": "1.6.11", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/359918?format=api", "vulnerability_id": "VCID-hv9u-qvqb-c3by", "summary": "Better Auth Has Two-Factor Authentication Bypass via Premature Session Caching (session.cookieCache)\n### Summary\n\nUnder certain configurations, sessions may be considered valid before two-factor authentication (2FA) is fully completed. This can allow access to authenticated routes without verifying the second factor.\n\n---\n\n### Description\n\nWhen two-factor authentication is enabled, the authentication flow correctly identifies users who require additional verification and defers full authentication until the second factor is completed.\n\nHowever, when `session.cookieCache` is enabled, the session generated during the initial sign-in step may be cached as valid **prior to 2FA verification**. Subsequent session lookups may then return this cached session without re-evaluating the 2FA requirement.\n\nThis results in a situation where session validity can be established before all authentication constraints are satisfied.\n\n---\n\n### Impact\n\nAn attacker (or user) with valid primary credentials may gain access to protected application routes without completing the required second authentication factor.\n\nAny application using `better-auth` with both two-factor authentication and session cookie caching enabled may be affected.\n\n---\n\n### Mitigation\n\n* Upgrade to a version of `better-auth` that includes the fix for this issue.\n* Ensure that session caching does not treat sessions as fully authenticated until all required authentication steps, including 2FA, are completed.\n* As a temporary workaround, disable `session.cookieCache` when using two-factor authentication.", "references": [ { "reference_url": "https://github.com/better-auth/better-auth", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/better-auth/better-auth" }, { "reference_url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-xg6x-h9c9-2m83", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-xg6x-h9c9-2m83" }, { "reference_url": "https://github.com/advisories/GHSA-xg6x-h9c9-2m83", "reference_id": "GHSA-xg6x-h9c9-2m83", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xg6x-h9c9-2m83" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/374122?format=api", "purl": "pkg:npm/better-auth@1.4.9", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/better-auth@1.4.9" } ], "aliases": [ "GHSA-xg6x-h9c9-2m83" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-hv9u-qvqb-c3by" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/105233?format=api", "vulnerability_id": "VCID-wq9k-qm9f-h3aa", "summary": "Better Auth is an authentication and authorization library for TypeScript. An open redirect has been found in the originCheck middleware function, which affects the following routes: /verify-email, /reset-password/:token, /delete-user/callback, /magic-link/verify, /oauth-proxy-callback. This vulnerability is fixed in 1.2.10.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-53535", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00309", "scoring_system": "epss", "scoring_elements": "0.54587", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00309", "scoring_system": "epss", "scoring_elements": "0.54586", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00309", "scoring_system": "epss", "scoring_elements": "0.54462", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00309", "scoring_system": "epss", "scoring_elements": "0.54603", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-53535" }, { "reference_url": "https://github.com/better-auth/better-auth", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/better-auth/better-auth" }, { "reference_url": "https://github.com/better-auth/better-auth/commit/9801d1be53d9da04686b94c6286c53ec97496740", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/better-auth/better-auth/commit/9801d1be53d9da04686b94c6286c53ec97496740" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53535", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53535" }, { "reference_url": "https://github.com/advisories/GHSA-36rg-gfq2-3h56", "reference_id": "GHSA-36rg-gfq2-3h56", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-36rg-gfq2-3h56" }, { "reference_url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-36rg-gfq2-3h56", "reference_id": "GHSA-36rg-gfq2-3h56", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "2.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-07T17:48:21Z/" } ], "url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-36rg-gfq2-3h56" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/378422?format=api", "purl": "pkg:npm/better-auth@1.2.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-hv9u-qvqb-c3by" }, { "vulnerability": "VCID-wvwj-npt5-qye2" }, { "vulnerability": "VCID-xcfr-utg2-u7a8" }, { "vulnerability": "VCID-z32n-9h42-cbd3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/better-auth@1.2.10" } ], "aliases": [ "CVE-2025-53535", "GHSA-36rg-gfq2-3h56" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wq9k-qm9f-h3aa" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212432?format=api", "vulnerability_id": "VCID-wvwj-npt5-qye2", "summary": "Better Auth's rou3 Dependency has Double-Slash Path Normalization which can Bypass disabledPaths Config and Rate Limits", "references": [ { "reference_url": "https://github.com/better-auth/better-auth", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/better-auth/better-auth" }, { "reference_url": "https://github.com/advisories/GHSA-x732-6j76-qmhm", "reference_id": "GHSA-x732-6j76-qmhm", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-x732-6j76-qmhm" }, { "reference_url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-x732-6j76-qmhm", "reference_id": "GHSA-x732-6j76-qmhm", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-x732-6j76-qmhm" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/36252?format=api", "purl": "pkg:npm/better-auth@1.4.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-hv9u-qvqb-c3by" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/better-auth@1.4.5" } ], "aliases": [ "GHSA-x732-6j76-qmhm" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wvwj-npt5-qye2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/127951?format=api", "vulnerability_id": "VCID-xcfr-utg2-u7a8", "summary": "Better Auth is an authentication and authorization library for TypeScript. In versions prior to 1.3.26, unauthenticated attackers can create or modify API keys for any user by passing that user's id in the request body to the `api/auth/api-key/create` route. `session?.user ?? (authRequired ? null : { id: ctx.body.userId })`. When no session exists but `userId` is present in the request body, `authRequired` becomes false and the user object is set to the attacker-controlled ID. Server-only field validation only executes when `authRequired` is true (lines 280-295), allowing attackers to set privileged fields. No additional authentication occurs before the database operation, so the malicious payload is accepted. The same pattern exists in the update endpoint. This is a critical authentication bypass enabling full an unauthenticated attacker can generate an API key for any user and immediately gain complete authenticated access. This allows the attacker to perform any action as the victim user using the api key, potentially compromise the user data and the application depending on the victim's privileges. Version 1.3.26 contains a patch for the issue.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-61928", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00204", "scoring_system": "epss", "scoring_elements": "0.42766", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00204", "scoring_system": "epss", "scoring_elements": "0.42775", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00204", "scoring_system": "epss", "scoring_elements": "0.42785", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00204", "scoring_system": "epss", "scoring_elements": "0.42604", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-61928" }, { "reference_url": "https://github.com/better-auth/better-auth", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/better-auth/better-auth" }, { "reference_url": "https://github.com/better-auth/better-auth/commit/556085067609c508f8c546ceef9003ee8c607d39", "reference_id": "556085067609c508f8c546ceef9003ee8c607d39", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-10-10T14:23:17Z/" } ], "url": "https://github.com/better-auth/better-auth/commit/556085067609c508f8c546ceef9003ee8c607d39" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61928", "reference_id": "CVE-2025-61928", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61928" }, { "reference_url": "https://github.com/advisories/GHSA-99h5-pjcv-gr6v", "reference_id": "GHSA-99h5-pjcv-gr6v", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-99h5-pjcv-gr6v" }, { "reference_url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-99h5-pjcv-gr6v", "reference_id": "GHSA-99h5-pjcv-gr6v", "reference_type": "", "scores": [ { "value": "8.6", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.3", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-10-10T14:23:17Z/" } ], "url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-99h5-pjcv-gr6v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/34159?format=api", "purl": "pkg:npm/better-auth@1.3.26", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-hv9u-qvqb-c3by" }, { "vulnerability": "VCID-wvwj-npt5-qye2" }, { "vulnerability": "VCID-z32n-9h42-cbd3" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/better-auth@1.3.26" } ], "aliases": [ "CVE-2025-61928", "GHSA-99h5-pjcv-gr6v" ], "risk_score": 4.2, "exploitability": "0.5", "weighted_severity": "8.4", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xcfr-utg2-u7a8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212400?format=api", "vulnerability_id": "VCID-z32n-9h42-cbd3", "summary": "Better Auth affected by external request basePath modification DoS", "references": [ { "reference_url": "https://github.com/better-auth/better-auth", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/better-auth/better-auth" }, { "reference_url": "https://github.com/better-auth/better-auth/releases/tag/v1.4.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/better-auth/better-auth/releases/tag/v1.4.2" }, { "reference_url": "https://github.com/advisories/GHSA-569q-mpph-wgww", "reference_id": "GHSA-569q-mpph-wgww", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-569q-mpph-wgww" }, { "reference_url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-569q-mpph-wgww", "reference_id": "GHSA-569q-mpph-wgww", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-569q-mpph-wgww" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/35628?format=api", "purl": "pkg:npm/better-auth@1.4.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-hv9u-qvqb-c3by" }, { "vulnerability": "VCID-wvwj-npt5-qye2" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/better-auth@1.4.2" } ], "aliases": [ "GHSA-569q-mpph-wgww" ], "risk_score": 1.4, "exploitability": "0.5", "weighted_severity": "2.7", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-z32n-9h42-cbd3" } ], "fixing_vulnerabilities": [], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/better-auth@1.2.5-beta.10" }