Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/1014378?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/1014378?format=api", "purl": "pkg:npm/better-auth@1.4.8-beta.7", "type": "npm", "namespace": "", "name": "better-auth", "version": "1.4.8-beta.7", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "1.4.9", "latest_non_vulnerable_version": "1.6.11", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/90021?format=api", "vulnerability_id": "VCID-2mgw-j7c3-dqbe", "summary": "Better Auth Has Two-Factor Authentication Bypass via Premature Session Caching (session.cookieCache)\n### Summary\n\nUnder certain configurations, sessions may be considered valid before two-factor authentication (2FA) is fully completed. This can allow access to authenticated routes without verifying the second factor.\n\n---\n\n### Description\n\nWhen two-factor authentication is enabled, the authentication flow correctly identifies users who require additional verification and defers full authentication until the second factor is completed.\n\nHowever, when `session.cookieCache` is enabled, the session generated during the initial sign-in step may be cached as valid **prior to 2FA verification**. Subsequent session lookups may then return this cached session without re-evaluating the 2FA requirement.\n\nThis results in a situation where session validity can be established before all authentication constraints are satisfied.\n\n---\n\n### Impact\n\nAn attacker (or user) with valid primary credentials may gain access to protected application routes without completing the required second authentication factor.\n\nAny application using `better-auth` with both two-factor authentication and session cookie caching enabled may be affected.\n\n---\n\n### Mitigation\n\n* Upgrade to a version of `better-auth` that includes the fix for this issue.\n* Ensure that session caching does not treat sessions as fully authenticated until all required authentication steps, including 2FA, are completed.\n* As a temporary workaround, disable `session.cookieCache` when using two-factor authentication.", "references": [ { "reference_url": "https://github.com/better-auth/better-auth", "reference_id": "", "reference_type": "", "scores": [ { "value": "9.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/better-auth/better-auth" }, { "reference_url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-xg6x-h9c9-2m83", "reference_id": "", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-xg6x-h9c9-2m83" }, { "reference_url": "https://github.com/advisories/GHSA-xg6x-h9c9-2m83", "reference_id": "GHSA-xg6x-h9c9-2m83", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xg6x-h9c9-2m83" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/111286?format=api", "purl": "pkg:npm/better-auth@1.4.9", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/better-auth@1.4.9" } ], "aliases": [ "GHSA-xg6x-h9c9-2m83" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2mgw-j7c3-dqbe" } ], "fixing_vulnerabilities": [], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:npm/better-auth@1.4.8-beta.7" }