{"url":"http://public2.vulnerablecode.io/api/packages/71483?format=json","purl":"pkg:npm/better-auth@1.4.2","type":"npm","namespace":"","name":"better-auth","version":"1.4.2","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"1.4.5","latest_non_vulnerable_version":"1.6.2","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/21860?format=json","vulnerability_id":"VCID-rngc-9e2c-tyd9","summary":"Better Auth's rou3 Dependency has Double-Slash Path Normalization which can Bypass disabledPaths Config and Rate Limits\nAn issue in the underlying router library **rou3** can cause `/path` and `//path` to be treated as identical routes. If your environment does **not** normalize incoming URLs (e.g., by collapsing multiple slashes), this can allow bypasses of `disabledPaths` and path-based rate limits.","references":[{"reference_url":"https://github.com/better-auth/better-auth","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/better-auth/better-auth"},{"reference_url":"https://github.com/advisories/GHSA-x732-6j76-qmhm","reference_id":"GHSA-x732-6j76-qmhm","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-x732-6j76-qmhm"},{"reference_url":"https://github.com/better-auth/better-auth/security/advisories/GHSA-x732-6j76-qmhm","reference_id":"GHSA-x732-6j76-qmhm","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/better-auth/better-auth/security/advisories/GHSA-x732-6j76-qmhm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/71797?format=json","purl":"pkg:npm/better-auth@1.4.5","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/better-auth@1.4.5"}],"aliases":["GHSA-x732-6j76-qmhm"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-rngc-9e2c-tyd9"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/21701?format=json","vulnerability_id":"VCID-fs78-rxdg-aqap","summary":"Better Auth affected by external request basePath modification DoS\nAffected versions of Better Auth allow an external request to configure `baseURL` when it isn’t defined through any other means. This can be abused to poison the router’s base path, causing all routes to return 404 for all users.\n\nThis issue is only exploitable when `baseURL` is not explicitly configured (e.g., `BETTER_AUTH_URL` is missing) *and* the attacker is able to make the very first request to the server after startup. In properly configured environments or typical managed hosting platforms, this fallback behavior cannot be reached.","references":[{"reference_url":"https://github.com/better-auth/better-auth","reference_id":"","reference_type":"","scores":[{"value":"2.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/better-auth/better-auth"},{"reference_url":"https://github.com/better-auth/better-auth/releases/tag/v1.4.2","reference_id":"","reference_type":"","scores":[{"value":"2.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/better-auth/better-auth/releases/tag/v1.4.2"},{"reference_url":"https://github.com/ray-project/ray/commit/70e7c72780bdec075dba6cad1afe0832772bfe09","reference_id":"","reference_type":"","scores":[{"value":"2.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/ray-project/ray/commit/70e7c72780bdec075dba6cad1afe0832772bfe09"},{"reference_url":"https://github.com/advisories/GHSA-569q-mpph-wgww","reference_id":"GHSA-569q-mpph-wgww","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-569q-mpph-wgww"},{"reference_url":"https://github.com/better-auth/better-auth/security/advisories/GHSA-569q-mpph-wgww","reference_id":"GHSA-569q-mpph-wgww","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/better-auth/better-auth/security/advisories/GHSA-569q-mpph-wgww"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/71483?format=json","purl":"pkg:npm/better-auth@1.4.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-rngc-9e2c-tyd9"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/better-auth@1.4.2"}],"aliases":["GHSA-569q-mpph-wgww"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-fs78-rxdg-aqap"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/better-auth@1.4.2"}