{"url":"http://public2.vulnerablecode.io/api/packages/793074?format=json","purl":"pkg:npm/better-auth@0.5.0","type":"npm","namespace":"","name":"better-auth","version":"0.5.0","qualifiers":{},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"1.4.9","latest_non_vulnerable_version":"1.6.11","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/90021?format=json","vulnerability_id":"VCID-2mgw-j7c3-dqbe","summary":"Better Auth Has Two-Factor Authentication Bypass via Premature Session Caching (session.cookieCache)\n### Summary\n\nUnder certain configurations, sessions may be considered valid before two-factor authentication (2FA) is fully completed. This can allow access to authenticated routes without verifying the second factor.\n\n---\n\n### Description\n\nWhen two-factor authentication is enabled, the authentication flow correctly identifies users who require additional verification and defers full authentication until the second factor is completed.\n\nHowever, when `session.cookieCache` is enabled, the session generated during the initial sign-in step may be cached as valid **prior to 2FA verification**. Subsequent session lookups may then return this cached session without re-evaluating the 2FA requirement.\n\nThis results in a situation where session validity can be established before all authentication constraints are satisfied.\n\n---\n\n### Impact\n\nAn attacker (or user) with valid primary credentials may gain access to protected application routes without completing the required second authentication factor.\n\nAny application using `better-auth` with both two-factor authentication and session cookie caching enabled may be affected.\n\n---\n\n### Mitigation\n\n* Upgrade to a version of `better-auth` that includes the fix for this issue.\n* Ensure that session caching does not treat sessions as fully authenticated until all required authentication steps, including 2FA, are completed.\n* As a temporary workaround, disable `session.cookieCache` when using two-factor authentication.","references":[{"reference_url":"https://github.com/better-auth/better-auth","reference_id":"","reference_type":"","scores":[{"value":"9.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/better-auth/better-auth"},{"reference_url":"https://github.com/better-auth/better-auth/security/advisories/GHSA-xg6x-h9c9-2m83","reference_id":"","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/better-auth/better-auth/security/advisories/GHSA-xg6x-h9c9-2m83"},{"reference_url":"https://github.com/advisories/GHSA-xg6x-h9c9-2m83","reference_id":"GHSA-xg6x-h9c9-2m83","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-xg6x-h9c9-2m83"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/111286?format=json","purl":"pkg:npm/better-auth@1.4.9","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/better-auth@1.4.9"}],"aliases":["GHSA-xg6x-h9c9-2m83"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-2mgw-j7c3-dqbe"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56704?format=json","vulnerability_id":"VCID-67cx-9tys-uqe7","summary":"Duplicate\nThis advisory duplicates another.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-27143","reference_id":"","reference_type":"","scores":[{"value":"0.00205","scoring_system":"epss","scoring_elements":"0.42558","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00205","scoring_system":"epss","scoring_elements":"0.42567","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00205","scoring_system":"epss","scoring_elements":"0.42621","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00205","scoring_system":"epss","scoring_elements":"0.4261","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00205","scoring_system":"epss","scoring_elements":"0.42594","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-27143"},{"reference_url":"https://github.com/better-auth/better-auth","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/better-auth/better-auth"},{"reference_url":"https://github.com/better-auth/better-auth/commit/24659aefc35a536b95ea4e5347e52c8803910153","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:28:45Z/"}],"url":"https://github.com/better-auth/better-auth/commit/24659aefc35a536b95ea4e5347e52c8803910153"},{"reference_url":"https://github.com/better-auth/better-auth/commit/b381cac7aafd6aa53ef78b6ab771ebfa24643c80","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:28:45Z/"}],"url":"https://github.com/better-auth/better-auth/commit/b381cac7aafd6aa53ef78b6ab771ebfa24643c80"},{"reference_url":"https://github.com/better-auth/better-auth/releases/tag/v1.1.21","reference_id":"","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:28:45Z/"}],"url":"https://github.com/better-auth/better-auth/releases/tag/v1.1.21"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27143","reference_id":"CVE-2025-27143","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-27143"},{"reference_url":"https://github.com/better-auth/better-auth/security/advisories/GHSA-8jhw-6pjj-8723","reference_id":"GHSA-8jhw-6pjj-8723","reference_type":"","scores":[{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:28:45Z/"}],"url":"https://github.com/better-auth/better-auth/security/advisories/GHSA-8jhw-6pjj-8723"},{"reference_url":"https://github.com/advisories/GHSA-hjpm-7mrm-26w8","reference_id":"GHSA-hjpm-7mrm-26w8","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hjpm-7mrm-26w8"},{"reference_url":"https://github.com/better-auth/better-auth/security/advisories/GHSA-hjpm-7mrm-26w8","reference_id":"GHSA-hjpm-7mrm-26w8","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2025-02-25T14:28:45Z/"}],"url":"https://github.com/better-auth/better-auth/security/advisories/GHSA-hjpm-7mrm-26w8"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/84181?format=json","purl":"pkg:npm/better-auth@1.1.20","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2mgw-j7c3-dqbe"},{"vulnerability":"VCID-6mwx-3amc-e3e5"},{"vulnerability":"VCID-ar66-89hz-5bd8"},{"vulnerability":"VCID-muah-31m2-4ydt"},{"vulnerability":"VCID-ngg5-xesv-5qhx"},{"vulnerability":"VCID-pggj-5m6j-6uh6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/better-auth@1.1.20"},{"url":"http://public2.vulnerablecode.io/api/packages/804394?format=json","purl":"pkg:npm/better-auth@1.2.0-beta.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2mgw-j7c3-dqbe"},{"vulnerability":"VCID-6mwx-3amc-e3e5"},{"vulnerability":"VCID-muah-31m2-4ydt"},{"vulnerability":"VCID-ngg5-xesv-5qhx"},{"vulnerability":"VCID-pggj-5m6j-6uh6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/better-auth@1.2.0-beta.1"}],"aliases":["CVE-2025-27143","GHSA-hjpm-7mrm-26w8"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-67cx-9tys-uqe7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47985?format=json","vulnerability_id":"VCID-6mwx-3amc-e3e5","summary":"Better Auth: Unauthenticated API key creation through api-key plugin\nA critical authentication bypass was identified in the API key creation and update endpoints. An attacker could create or modify API keys for arbitrary users by supplying a victim’s user ID in the request body. Due to a flaw in how the authenticated user was derived, the endpoints could treat attacker-controlled input as an authenticated user object under certain conditions.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-61928","reference_id":"","reference_type":"","scores":[{"value":"0.00204","scoring_system":"epss","scoring_elements":"0.42566","published_at":"2026-06-07T12:55:00Z"},{"value":"0.00204","scoring_system":"epss","scoring_elements":"0.42541","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00204","scoring_system":"epss","scoring_elements":"0.42531","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00204","scoring_system":"epss","scoring_elements":"0.42593","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00204","scoring_system":"epss","scoring_elements":"0.42582","published_at":"2026-06-05T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-61928"},{"reference_url":"https://github.com/better-auth/better-auth","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/better-auth/better-auth"},{"reference_url":"https://github.com/better-auth/better-auth/commit/556085067609c508f8c546ceef9003ee8c607d39","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-10-10T14:23:17Z/"}],"url":"https://github.com/better-auth/better-auth/commit/556085067609c508f8c546ceef9003ee8c607d39"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-61928","reference_id":"CVE-2025-61928","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-61928"},{"reference_url":"https://github.com/advisories/GHSA-99h5-pjcv-gr6v","reference_id":"GHSA-99h5-pjcv-gr6v","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-99h5-pjcv-gr6v"},{"reference_url":"https://github.com/better-auth/better-auth/security/advisories/GHSA-99h5-pjcv-gr6v","reference_id":"GHSA-99h5-pjcv-gr6v","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-10-10T14:23:17Z/"}],"url":"https://github.com/better-auth/better-auth/security/advisories/GHSA-99h5-pjcv-gr6v"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/70790?format=json","purl":"pkg:npm/better-auth@1.3.26","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2mgw-j7c3-dqbe"},{"vulnerability":"VCID-ngg5-xesv-5qhx"},{"vulnerability":"VCID-pggj-5m6j-6uh6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/better-auth@1.3.26"}],"aliases":["CVE-2025-61928","GHSA-99h5-pjcv-gr6v"],"risk_score":4.2,"exploitability":"0.5","weighted_severity":"8.4","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-6mwx-3amc-e3e5"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56702?format=json","vulnerability_id":"VCID-ar66-89hz-5bd8","summary":"Better Auth allows bypassing the trustedOrigins Protection which leads to ATO\nA bypass was discovered in the trustedOrigins validation logic—affecting both absolute URL entries and wildcard domain patterns. This flaw allows an attacker to construct a malicious callbackURL that passes origin checks and triggers an open redirect.\n\nBecause redirect endpoints include sensitive tokens (such as password-reset tokens), this vulnerability can enable one-click account takeover if a victim clicks a crafted link.","references":[{"reference_url":"https://github.com/better-auth/better-auth","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/better-auth/better-auth"},{"reference_url":"https://github.com/better-auth/better-auth/blob/ddebd0358d74376ea64541512d0167dd4377f182/packages/better-auth/src/api/middlewares/origin-check.ts#L53","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/better-auth/better-auth/blob/ddebd0358d74376ea64541512d0167dd4377f182/packages/better-auth/src/api/middlewares/origin-check.ts#L53"},{"reference_url":"https://github.com/better-auth/better-auth/commit/b381cac7aafd6aa53ef78b6ab771ebfa24643c80","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/better-auth/better-auth/commit/b381cac7aafd6aa53ef78b6ab771ebfa24643c80"},{"reference_url":"https://github.com/advisories/GHSA-vp58-j275-797x","reference_id":"GHSA-vp58-j275-797x","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-vp58-j275-797x"},{"reference_url":"https://github.com/better-auth/better-auth/security/advisories/GHSA-vp58-j275-797x","reference_id":"GHSA-vp58-j275-797x","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/better-auth/better-auth/security/advisories/GHSA-vp58-j275-797x"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/84176?format=json","purl":"pkg:npm/better-auth@1.1.21","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2mgw-j7c3-dqbe"},{"vulnerability":"VCID-6mwx-3amc-e3e5"},{"vulnerability":"VCID-muah-31m2-4ydt"},{"vulnerability":"VCID-ngg5-xesv-5qhx"},{"vulnerability":"VCID-pggj-5m6j-6uh6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/better-auth@1.1.21"},{"url":"http://public2.vulnerablecode.io/api/packages/804394?format=json","purl":"pkg:npm/better-auth@1.2.0-beta.1","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2mgw-j7c3-dqbe"},{"vulnerability":"VCID-6mwx-3amc-e3e5"},{"vulnerability":"VCID-muah-31m2-4ydt"},{"vulnerability":"VCID-ngg5-xesv-5qhx"},{"vulnerability":"VCID-pggj-5m6j-6uh6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/better-auth@1.2.0-beta.1"}],"aliases":["GHSA-vp58-j275-797x"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ar66-89hz-5bd8"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/57587?format=json","vulnerability_id":"VCID-muah-31m2-4ydt","summary":"Better Auth Open Redirect Vulnerability in originCheck Middleware Affects Multiple Routes\nAn open redirect has been found in the `originCheck` middleware function, which affects the following routes: `/verify-email`, `/reset-password/:token`, `/delete-user/callback`, `/magic-link/verify`, `/oauth-proxy-callback`.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2025-53535","reference_id":"","reference_type":"","scores":[{"value":"0.00309","scoring_system":"epss","scoring_elements":"0.5437","published_at":"2026-06-08T12:55:00Z"},{"value":"0.00309","scoring_system":"epss","scoring_elements":"0.54391","published_at":"2026-06-09T12:55:00Z"},{"value":"0.00309","scoring_system":"epss","scoring_elements":"0.54404","published_at":"2026-06-06T12:55:00Z"},{"value":"0.00309","scoring_system":"epss","scoring_elements":"0.54395","published_at":"2026-06-05T12:55:00Z"},{"value":"0.00309","scoring_system":"epss","scoring_elements":"0.54392","published_at":"2026-06-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2025-53535"},{"reference_url":"https://github.com/better-auth/better-auth","reference_id":"","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/better-auth/better-auth"},{"reference_url":"https://github.com/better-auth/better-auth/commit/9801d1be53d9da04686b94c6286c53ec97496740","reference_id":"","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/better-auth/better-auth/commit/9801d1be53d9da04686b94c6286c53ec97496740"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-53535","reference_id":"CVE-2025-53535","reference_type":"","scores":[{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-53535"},{"reference_url":"https://github.com/advisories/GHSA-36rg-gfq2-3h56","reference_id":"GHSA-36rg-gfq2-3h56","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-36rg-gfq2-3h56"},{"reference_url":"https://github.com/better-auth/better-auth/security/advisories/GHSA-36rg-gfq2-3h56","reference_id":"GHSA-36rg-gfq2-3h56","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"},{"value":"2.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-07T17:48:21Z/"}],"url":"https://github.com/better-auth/better-auth/security/advisories/GHSA-36rg-gfq2-3h56"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/85643?format=json","purl":"pkg:npm/better-auth@1.2.10","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2mgw-j7c3-dqbe"},{"vulnerability":"VCID-6mwx-3amc-e3e5"},{"vulnerability":"VCID-ngg5-xesv-5qhx"},{"vulnerability":"VCID-pggj-5m6j-6uh6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/better-auth@1.2.10"}],"aliases":["CVE-2025-53535","GHSA-36rg-gfq2-3h56"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-muah-31m2-4ydt"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49450?format=json","vulnerability_id":"VCID-ngg5-xesv-5qhx","summary":"Better Auth's rou3 Dependency has Double-Slash Path Normalization which can Bypass disabledPaths Config and Rate Limits\nAn issue in the underlying router library **rou3** can cause `/path` and `//path` to be treated as identical routes. If your environment does **not** normalize incoming URLs (e.g., by collapsing multiple slashes), this can allow bypasses of `disabledPaths` and path-based rate limits.","references":[{"reference_url":"https://github.com/better-auth/better-auth","reference_id":"","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/better-auth/better-auth"},{"reference_url":"https://github.com/advisories/GHSA-x732-6j76-qmhm","reference_id":"GHSA-x732-6j76-qmhm","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-x732-6j76-qmhm"},{"reference_url":"https://github.com/better-auth/better-auth/security/advisories/GHSA-x732-6j76-qmhm","reference_id":"GHSA-x732-6j76-qmhm","reference_type":"","scores":[{"value":"8.6","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/better-auth/better-auth/security/advisories/GHSA-x732-6j76-qmhm"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/73003?format=json","purl":"pkg:npm/better-auth@1.4.5","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2mgw-j7c3-dqbe"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/better-auth@1.4.5"}],"aliases":["GHSA-x732-6j76-qmhm"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-ngg5-xesv-5qhx"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/49291?format=json","vulnerability_id":"VCID-pggj-5m6j-6uh6","summary":"Better Auth affected by external request basePath modification DoS\nAffected versions of Better Auth allow an external request to configure `baseURL` when it isn’t defined through any other means. This can be abused to poison the router’s base path, causing all routes to return 404 for all users.\n\nThis issue is only exploitable when `baseURL` is not explicitly configured (e.g., `BETTER_AUTH_URL` is missing) *and* the attacker is able to make the very first request to the server after startup. In properly configured environments or typical managed hosting platforms, this fallback behavior cannot be reached.","references":[{"reference_url":"https://github.com/better-auth/better-auth","reference_id":"","reference_type":"","scores":[{"value":"2.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/better-auth/better-auth"},{"reference_url":"https://github.com/better-auth/better-auth/releases/tag/v1.4.2","reference_id":"","reference_type":"","scores":[{"value":"2.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/better-auth/better-auth/releases/tag/v1.4.2"},{"reference_url":"https://github.com/ray-project/ray/commit/70e7c72780bdec075dba6cad1afe0832772bfe09","reference_id":"","reference_type":"","scores":[{"value":"2.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/ray-project/ray/commit/70e7c72780bdec075dba6cad1afe0832772bfe09"},{"reference_url":"https://github.com/advisories/GHSA-569q-mpph-wgww","reference_id":"GHSA-569q-mpph-wgww","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-569q-mpph-wgww"},{"reference_url":"https://github.com/better-auth/better-auth/security/advisories/GHSA-569q-mpph-wgww","reference_id":"GHSA-569q-mpph-wgww","reference_type":"","scores":[{"value":"LOW","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"2.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P"},{"value":"LOW","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/better-auth/better-auth/security/advisories/GHSA-569q-mpph-wgww"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/72689?format=json","purl":"pkg:npm/better-auth@1.4.2","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2mgw-j7c3-dqbe"},{"vulnerability":"VCID-ngg5-xesv-5qhx"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/better-auth@1.4.2"}],"aliases":["GHSA-569q-mpph-wgww"],"risk_score":1.4,"exploitability":"0.5","weighted_severity":"2.7","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-pggj-5m6j-6uh6"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56586?format=json","vulnerability_id":"VCID-r4zk-j7bm-57cf","summary":"Better Auth URL parameter HTML Injection (Reflected Cross-Site scripting)\nThe better-auth `/api/auth/error` page was vulnerable to HTML injection, resulting in a reflected cross-site scripting (XSS) vulnerability.","references":[{"reference_url":"https://github.com/better-auth/better-auth","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/better-auth/better-auth"},{"reference_url":"https://github.com/better-auth/better-auth/blob/05ada0b79dbcac93cc04ceb79b23ca598d07830c/packages/better-auth/src/api/routes/error.ts#L81","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/better-auth/better-auth/blob/05ada0b79dbcac93cc04ceb79b23ca598d07830c/packages/better-auth/src/api/routes/error.ts#L81"},{"reference_url":"https://github.com/better-auth/better-auth/commit/7ae340e2eddad641b7e43d24d37c58a66ce9ddcf","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/better-auth/better-auth/commit/7ae340e2eddad641b7e43d24d37c58a66ce9ddcf"},{"reference_url":"https://github.com/advisories/GHSA-9x4v-xfq5-m8x5","reference_id":"GHSA-9x4v-xfq5-m8x5","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-9x4v-xfq5-m8x5"},{"reference_url":"https://github.com/better-auth/better-auth/security/advisories/GHSA-9x4v-xfq5-m8x5","reference_id":"GHSA-9x4v-xfq5-m8x5","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"5.1","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/better-auth/better-auth/security/advisories/GHSA-9x4v-xfq5-m8x5"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/84027?format=json","purl":"pkg:npm/better-auth@1.1.16","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2mgw-j7c3-dqbe"},{"vulnerability":"VCID-67cx-9tys-uqe7"},{"vulnerability":"VCID-6mwx-3amc-e3e5"},{"vulnerability":"VCID-ar66-89hz-5bd8"},{"vulnerability":"VCID-muah-31m2-4ydt"},{"vulnerability":"VCID-ngg5-xesv-5qhx"},{"vulnerability":"VCID-pggj-5m6j-6uh6"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/better-auth@1.1.16"}],"aliases":["GHSA-9x4v-xfq5-m8x5"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-r4zk-j7bm-57cf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/56413?format=json","vulnerability_id":"VCID-yjcr-rawr-5ffd","summary":"Better Auth has an Open Redirect Vulnerability in Verify Email Endpoint\nAn **open redirect vulnerability** has been identified in the **verify email endpoint** of Better Auth, potentially allowing attackers to redirect users to malicious websites. This issue affects users relying on email verification links generated by the library.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-56734","reference_id":"","reference_type":"","scores":[{"value":"0.0016","scoring_system":"epss","scoring_elements":"0.3667","published_at":"2026-06-07T12:55:00Z"},{"value":"0.0016","scoring_system":"epss","scoring_elements":"0.36643","published_at":"2026-06-09T12:55:00Z"},{"value":"0.0016","scoring_system":"epss","scoring_elements":"0.36633","published_at":"2026-06-08T12:55:00Z"},{"value":"0.0016","scoring_system":"epss","scoring_elements":"0.36698","published_at":"2026-06-05T12:55:00Z"},{"value":"0.0016","scoring_system":"epss","scoring_elements":"0.36706","published_at":"2026-06-06T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-56734"},{"reference_url":"https://github.com/better-auth/better-auth","reference_id":"","reference_type":"","scores":[{"value":"7.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/better-auth/better-auth"},{"reference_url":"https://github.com/better-auth/better-auth/commit/deb3d73aea90d0468d92723f4511542b593e522f","reference_id":"","reference_type":"","scores":[{"value":"7.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-30T17:36:35Z/"}],"url":"https://github.com/better-auth/better-auth/commit/deb3d73aea90d0468d92723f4511542b593e522f"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-56734","reference_id":"CVE-2024-56734","reference_type":"","scores":[{"value":"7.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-56734"},{"reference_url":"https://github.com/advisories/GHSA-8jhw-6pjj-8723","reference_id":"GHSA-8jhw-6pjj-8723","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-8jhw-6pjj-8723"},{"reference_url":"https://github.com/better-auth/better-auth/security/advisories/GHSA-8jhw-6pjj-8723","reference_id":"GHSA-8jhw-6pjj-8723","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-12-30T17:36:35Z/"}],"url":"https://github.com/better-auth/better-auth/security/advisories/GHSA-8jhw-6pjj-8723"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/83666?format=json","purl":"pkg:npm/better-auth@1.1.6","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-2mgw-j7c3-dqbe"},{"vulnerability":"VCID-67cx-9tys-uqe7"},{"vulnerability":"VCID-6mwx-3amc-e3e5"},{"vulnerability":"VCID-ar66-89hz-5bd8"},{"vulnerability":"VCID-muah-31m2-4ydt"},{"vulnerability":"VCID-ngg5-xesv-5qhx"},{"vulnerability":"VCID-pggj-5m6j-6uh6"},{"vulnerability":"VCID-r4zk-j7bm-57cf"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/better-auth@1.1.6"}],"aliases":["CVE-2024-56734","GHSA-8jhw-6pjj-8723"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-yjcr-rawr-5ffd"}],"fixing_vulnerabilities":[],"risk_score":"4.5","resource_url":"http://public2.vulnerablecode.io/packages/pkg:npm/better-auth@0.5.0"}