VulnerableCode Package Details - pkg:npm/better-auth@1.4.5

Search for packages

Vulnerability	Summary	Fixed by
VCID-hv9u-qvqb-c3by Aliases: GHSA-xg6x-h9c9-2m83	Better Auth Has Two-Factor Authentication Bypass via Premature Session Caching (session.cookieCache) ### Summary Under certain configurations, sessions may be considered valid before two-factor authentication (2FA) is fully completed. This can allow access to authenticated routes without verifying the second factor. --- ### Description When two-factor authentication is enabled, the authentication flow correctly identifies users who require additional verification and defers full authentication until the second factor is completed. However, when `session.cookieCache` is enabled, the session generated during the initial sign-in step may be cached as valid prior to 2FA verification. Subsequent session lookups may then return this cached session without re-evaluating the 2FA requirement. This results in a situation where session validity can be established before all authentication constraints are satisfied. --- ### Impact An attacker (or user) with valid primary credentials may gain access to protected application routes without completing the required second authentication factor. Any application using `better-auth` with both two-factor authentication and session cookie caching enabled may be affected. --- ### Mitigation * Upgrade to a version of `better-auth` that includes the fix for this issue. * Ensure that session caching does not treat sessions as fully authenticated until all required authentication steps, including 2FA, are completed. * As a temporary workaround, disable `session.cookieCache` when using two-factor authentication.	1.4.9 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-hv9u-qvqb-c3by
Aliases:
GHSA-xg6x-h9c9-2m83

Better Auth Has Two-Factor Authentication Bypass via Premature Session Caching (session.cookieCache) ### Summary Under certain configurations, sessions may be considered valid before two-factor authentication (2FA) is fully completed. This can allow access to authenticated routes without verifying the second factor. --- ### Description When two-factor authentication is enabled, the authentication flow correctly identifies users who require additional verification and defers full authentication until the second factor is completed. However, when `session.cookieCache` is enabled, the session generated during the initial sign-in step may be cached as valid **prior to 2FA verification**. Subsequent session lookups may then return this cached session without re-evaluating the 2FA requirement. This results in a situation where session validity can be established before all authentication constraints are satisfied. --- ### Impact An attacker (or user) with valid primary credentials may gain access to protected application routes without completing the required second authentication factor. Any application using `better-auth` with both two-factor authentication and session cookie caching enabled may be affected. --- ### Mitigation * Upgrade to a version of `better-auth` that includes the fix for this issue. * Ensure that session caching does not treat sessions as fully authenticated until all required authentication steps, including 2FA, are completed. * As a temporary workaround, disable `session.cookieCache` when using two-factor authentication.

1.4.9
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-wvwj-npt5-qye2	Better Auth's rou3 Dependency has Double-Slash Path Normalization which can Bypass disabledPaths Config and Rate Limits	GHSA-x732-6j76-qmhm

Vulnerability

Summary

Aliases

VCID-wvwj-npt5-qye2

Better Auth's rou3 Dependency has Double-Slash Path Normalization which can Bypass disabledPaths Config and Rate Limits

GHSA-x732-6j76-qmhm

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-06-12T21:52:24.159510+00:00	GitLab Importer	Affected by	VCID-hv9u-qvqb-c3by	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/better-auth/GHSA-xg6x-h9c9-2m83.yml	38.6.0
2026-06-12T15:49:50.189001+00:00	GitLab Importer	Fixing	VCID-wvwj-npt5-qye2	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/better-auth/GHSA-x732-6j76-qmhm.yml	38.6.0
2026-06-12T07:53:24.916788+00:00	GithubOSV Importer	Fixing	VCID-wvwj-npt5-qye2	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/12/GHSA-x732-6j76-qmhm/GHSA-x732-6j76-qmhm.json	38.6.0
2026-06-11T20:37:05.456666+00:00	GHSA Importer	Fixing	VCID-wvwj-npt5-qye2	https://github.com/advisories/GHSA-x732-6j76-qmhm	38.6.0