Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/better-auth@1.4.8-beta.7
Typenpm
Namespace
Namebetter-auth
Version1.4.8-beta.7
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version1.4.9
Latest_non_vulnerable_version1.6.11
Affected_by_vulnerabilities
0
url VCID-2mgw-j7c3-dqbe
vulnerability_id VCID-2mgw-j7c3-dqbe
summary 
Better Auth Has Two-Factor Authentication Bypass via Premature Session Caching (session.cookieCache)
### Summary

Under certain configurations, sessions may be considered valid before two-factor authentication (2FA) is fully completed. This can allow access to authenticated routes without verifying the second factor.

---

### Description

When two-factor authentication is enabled, the authentication flow correctly identifies users who require additional verification and defers full authentication until the second factor is completed.

However, when `session.cookieCache` is enabled, the session generated during the initial sign-in step may be cached as valid **prior to 2FA verification**. Subsequent session lookups may then return this cached session without re-evaluating the 2FA requirement.

This results in a situation where session validity can be established before all authentication constraints are satisfied.

---

### Impact

An attacker (or user) with valid primary credentials may gain access to protected application routes without completing the required second authentication factor.

Any application using `better-auth` with both two-factor authentication and session cookie caching enabled may be affected.

---

### Mitigation

* Upgrade to a version of `better-auth` that includes the fix for this issue.
* Ensure that session caching does not treat sessions as fully authenticated until all required authentication steps, including 2FA, are completed.
* As a temporary workaround, disable `session.cookieCache` when using two-factor authentication.
references
0
reference_url https://github.com/better-auth/better-auth
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/better-auth/better-auth
1
reference_url https://github.com/better-auth/better-auth/security/advisories/GHSA-xg6x-h9c9-2m83
reference_id
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
1
value 9.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/better-auth/better-auth/security/advisories/GHSA-xg6x-h9c9-2m83
2
reference_url https://github.com/advisories/GHSA-xg6x-h9c9-2m83
reference_id GHSA-xg6x-h9c9-2m83
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-xg6x-h9c9-2m83
fixed_packages
0
url pkg:npm/better-auth@1.4.9
purl pkg:npm/better-auth@1.4.9
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/better-auth@1.4.9
aliases GHSA-xg6x-h9c9-2m83
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2mgw-j7c3-dqbe
Fixing_vulnerabilities
Risk_score4.5
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/better-auth@1.4.8-beta.7