Vulnerability Instance
Lookup for vulnerabilities affecting packages.
GET /api/vulnerabilities/21701?format=api
{ "url": "http://public2.vulnerablecode.io/api/vulnerabilities/21701?format=api", "vulnerability_id": "VCID-fs78-rxdg-aqap", "summary": "Better Auth affected by external request basePath modification DoS\nAffected versions of Better Auth allow an external request to configure `baseURL` when it isn’t defined through any other means. This can be abused to poison the router’s base path, causing all routes to return 404 for all users.\n\nThis issue is only exploitable when `baseURL` is not explicitly configured (e.g., `BETTER_AUTH_URL` is missing) *and* the attacker is able to make the very first request to the server after startup. In properly configured environments or typical managed hosting platforms, this fallback behavior cannot be reached.", "aliases": [ { "alias": "GHSA-569q-mpph-wgww" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/71483?format=api", "purl": "pkg:npm/better-auth@1.4.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/better-auth@1.4.2" } ], "affected_packages": [], "references": [ { "reference_url": "https://github.com/better-auth/better-auth", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/better-auth/better-auth" }, { "reference_url": "https://github.com/better-auth/better-auth/releases/tag/v1.4.2", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/better-auth/better-auth/releases/tag/v1.4.2" }, { "reference_url": "https://github.com/ray-project/ray/commit/70e7c72780bdec075dba6cad1afe0832772bfe09", "reference_id": "", "reference_type": "", "scores": [ { "value": "2.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/ray-project/ray/commit/70e7c72780bdec075dba6cad1afe0832772bfe09" }, { "reference_url": "https://github.com/advisories/GHSA-569q-mpph-wgww", "reference_id": "GHSA-569q-mpph-wgww", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-569q-mpph-wgww" }, { "reference_url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-569q-mpph-wgww", "reference_id": "GHSA-569q-mpph-wgww", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "2.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-569q-mpph-wgww" } ], "weaknesses": [ { "cwe_id": 73, "name": "External Control of File Name or Path", "description": "The product allows user input to control or influence paths or file names that are used in filesystem operations." }, { "cwe_id": 937, "name": "OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013." }, { "cwe_id": 1035, "name": "OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities", "description": "Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017." } ], "exploits": [], "severity_range_score": "0.1 - 3", "exploitability": null, "weighted_severity": null, "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-fs78-rxdg-aqap" }