{"url":"http://public2.vulnerablecode.io/api/packages/1014367?format=json","purl":"pkg:npm/better-auth@1.4.6","type":"npm","namespace":"","name":"better-auth","version":"1.4.6","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"1.4.9","latest_non_vulnerable_version":"1.6.11","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90021?format=json","vulnerability_id":"VCID-2mgw-j7c3-dqbe","summary":"Better Auth Has Two-Factor Authentication Bypass via Premature Session Caching (session.cookieCache)\n### Summary\n\nUnder certain configurations, sessions may be considered valid before two-factor authentication (2FA) is fully completed. This can allow access to authenticated routes without verifying the second factor.\n\n---\n\n### Description\n\nWhen two-factor authentication is enabled, the authentication flow correctly identifies users who require additional verification and defers full authentication until the second factor is completed.\n\nHowever, when `session.cookieCache` is enabled, the session generated during the initial sign-in step may be cached as valid **prior to 2FA verification**. Subsequent session lookups may then return this cached session without re-evaluating the 2FA requirement.\n\nThis results in a situation where session validity can be established before all authentication constraints are satisfied.\n\n---\n\n### Impact\n\nAn attacker (or user) with valid primary credentials may gain access to protected application routes without completing the required second authentication factor.\n\nAny application using `better-auth` with both two-factor authentication and session cookie caching enabled may be affected.\n\n---\n\n### Mitigation\n\n* Upgrade to a version of `better-auth` that includes the fix for this issue.\n* Ensure that session caching does not treat sessions as fully authenticated until all required authentication steps, including 2FA, are completed.\n* As a temporary workaround, disable `session.cookieCache` when using two-factor authentication.","references":[{"reference_url":"https://github.com/better-auth/better-auth","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/better-auth/better-auth"},{"reference_url":"https://github.com/better-auth/better-auth/security/advisories/GHSA-xg6x-h9c9-2m83","reference_id":"","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/better-auth/better-auth/security/advisories/GHSA-xg6x-h9c9-2m83"},{"reference_url":"https://github.com/advisories/GHSA-xg6x-h9c9-2m83","reference_id":"GHSA-xg6x-h9c9-2m83","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xg6x-h9c9-2m83"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/111286?format=json","purl":"pkg:npm/better-auth@1.4.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/better-auth@1.4.9"}],"aliases":["GHSA-xg6x-h9c9-2m83"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2mgw-j7c3-dqbe"}],"fixing_vulnerabilities":[],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/better-auth@1.4.6"}