Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/better-auth@1.2.5-beta.10
Typenpm
Namespace
Namebetter-auth
Version1.2.5-beta.10
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version1.4.9
Latest_non_vulnerable_version1.6.11
Affected_by_vulnerabilities
0
url VCID-hv9u-qvqb-c3by
vulnerability_id VCID-hv9u-qvqb-c3by
summary 
Better Auth Has Two-Factor Authentication Bypass via Premature Session Caching (session.cookieCache)
### Summary

Under certain configurations, sessions may be considered valid before two-factor authentication (2FA) is fully completed. This can allow access to authenticated routes without verifying the second factor.

---

### Description

When two-factor authentication is enabled, the authentication flow correctly identifies users who require additional verification and defers full authentication until the second factor is completed.

However, when `session.cookieCache` is enabled, the session generated during the initial sign-in step may be cached as valid **prior to 2FA verification**. Subsequent session lookups may then return this cached session without re-evaluating the 2FA requirement.

This results in a situation where session validity can be established before all authentication constraints are satisfied.

---

### Impact

An attacker (or user) with valid primary credentials may gain access to protected application routes without completing the required second authentication factor.

Any application using `better-auth` with both two-factor authentication and session cookie caching enabled may be affected.

---

### Mitigation

* Upgrade to a version of `better-auth` that includes the fix for this issue.
* Ensure that session caching does not treat sessions as fully authenticated until all required authentication steps, including 2FA, are completed.
* As a temporary workaround, disable `session.cookieCache` when using two-factor authentication.
references
0
reference_url https://github.com/better-auth/better-auth
reference_id
reference_type
scores
0
value 9.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
1
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/better-auth/better-auth
1
reference_url https://github.com/better-auth/better-auth/security/advisories/GHSA-xg6x-h9c9-2m83
reference_id
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
1
value 9.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
2
value CRITICAL
scoring_system generic_textual
scoring_elements
url https://github.com/better-auth/better-auth/security/advisories/GHSA-xg6x-h9c9-2m83
2
reference_url https://github.com/advisories/GHSA-xg6x-h9c9-2m83
reference_id GHSA-xg6x-h9c9-2m83
reference_type
scores
0
value CRITICAL
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-xg6x-h9c9-2m83
fixed_packages
0
url pkg:npm/better-auth@1.4.9
purl pkg:npm/better-auth@1.4.9
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/better-auth@1.4.9
aliases GHSA-xg6x-h9c9-2m83
risk_score 4.5
exploitability 0.5
weighted_severity 9.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hv9u-qvqb-c3by
1
url VCID-wq9k-qm9f-h3aa
vulnerability_id VCID-wq9k-qm9f-h3aa
summary Better Auth is an authentication and authorization library for TypeScript. An open redirect has been found in the originCheck middleware function, which affects the following routes: /verify-email, /reset-password/:token, /delete-user/callback, /magic-link/verify, /oauth-proxy-callback. This vulnerability is fixed in 1.2.10.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-53535
reference_id
reference_type
scores
0
value 0.00309
scoring_system epss
scoring_elements 0.54587
published_at 2026-06-12T12:55:00Z
1
value 0.00309
scoring_system epss
scoring_elements 0.54586
published_at 2026-06-14T12:55:00Z
2
value 0.00309
scoring_system epss
scoring_elements 0.54462
published_at 2026-06-11T12:55:00Z
3
value 0.00309
scoring_system epss
scoring_elements 0.54603
published_at 2026-06-13T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-53535
1
reference_url https://github.com/better-auth/better-auth
reference_id
reference_type
scores
0
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/better-auth/better-auth
2
reference_url https://github.com/better-auth/better-auth/commit/9801d1be53d9da04686b94c6286c53ec97496740
reference_id
reference_type
scores
0
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/better-auth/better-auth/commit/9801d1be53d9da04686b94c6286c53ec97496740
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-53535
reference_id
reference_type
scores
0
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-53535
4
reference_url https://github.com/advisories/GHSA-36rg-gfq2-3h56
reference_id GHSA-36rg-gfq2-3h56
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-36rg-gfq2-3h56
5
reference_url https://github.com/better-auth/better-auth/security/advisories/GHSA-36rg-gfq2-3h56
reference_id GHSA-36rg-gfq2-3h56
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
1
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P
2
value 2.1
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
3
value LOW
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2025-07-07T17:48:21Z/
url https://github.com/better-auth/better-auth/security/advisories/GHSA-36rg-gfq2-3h56
fixed_packages
0
url pkg:npm/better-auth@1.2.10
purl pkg:npm/better-auth@1.2.10
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-hv9u-qvqb-c3by
1
vulnerability VCID-wvwj-npt5-qye2
2
vulnerability VCID-xcfr-utg2-u7a8
3
vulnerability VCID-z32n-9h42-cbd3
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/better-auth@1.2.10
aliases CVE-2025-53535, GHSA-36rg-gfq2-3h56
risk_score 1.4
exploitability 0.5
weighted_severity 2.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wq9k-qm9f-h3aa
2
url VCID-wvwj-npt5-qye2
vulnerability_id VCID-wvwj-npt5-qye2
summary Better Auth's rou3 Dependency has Double-Slash Path Normalization which can Bypass disabledPaths Config and Rate Limits
references
0
reference_url https://github.com/better-auth/better-auth
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/better-auth/better-auth
1
reference_url https://github.com/advisories/GHSA-x732-6j76-qmhm
reference_id GHSA-x732-6j76-qmhm
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-x732-6j76-qmhm
2
reference_url https://github.com/better-auth/better-auth/security/advisories/GHSA-x732-6j76-qmhm
reference_id GHSA-x732-6j76-qmhm
reference_type
scores
0
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/better-auth/better-auth/security/advisories/GHSA-x732-6j76-qmhm
fixed_packages
0
url pkg:npm/better-auth@1.4.5
purl pkg:npm/better-auth@1.4.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-hv9u-qvqb-c3by
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/better-auth@1.4.5
aliases GHSA-x732-6j76-qmhm
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wvwj-npt5-qye2
3
url VCID-xcfr-utg2-u7a8
vulnerability_id VCID-xcfr-utg2-u7a8
summary Better Auth is an authentication and authorization library for TypeScript. In versions prior to 1.3.26, unauthenticated attackers can create or modify API keys for any user by passing that user's id in the request body to the `api/auth/api-key/create` route. `session?.user ?? (authRequired ? null : { id: ctx.body.userId })`. When no session exists but `userId` is present in the request body, `authRequired` becomes false and the user object is set to the attacker-controlled ID. Server-only field validation only executes when `authRequired` is true (lines 280-295), allowing attackers to set privileged fields. No additional authentication occurs before the database operation, so the malicious payload is accepted. The same pattern exists in the update endpoint. This is a critical authentication bypass enabling full an unauthenticated attacker can generate an API key for any user and immediately gain complete authenticated access. This allows the attacker to perform any action as the victim user using the api key, potentially compromise the user data and the application depending on the victim's privileges. Version 1.3.26 contains a patch for the issue.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-61928
reference_id
reference_type
scores
0
value 0.00204
scoring_system epss
scoring_elements 0.42766
published_at 2026-06-12T12:55:00Z
1
value 0.00204
scoring_system epss
scoring_elements 0.42775
published_at 2026-06-14T12:55:00Z
2
value 0.00204
scoring_system epss
scoring_elements 0.42785
published_at 2026-06-13T12:55:00Z
3
value 0.00204
scoring_system epss
scoring_elements 0.42604
published_at 2026-06-11T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-61928
1
reference_url https://github.com/better-auth/better-auth
reference_id
reference_type
scores
0
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/better-auth/better-auth
2
reference_url https://github.com/better-auth/better-auth/commit/556085067609c508f8c546ceef9003ee8c607d39
reference_id 556085067609c508f8c546ceef9003ee8c607d39
reference_type
scores
0
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
1
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
2
value HIGH
scoring_system generic_textual
scoring_elements
3
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-10-10T14:23:17Z/
url https://github.com/better-auth/better-auth/commit/556085067609c508f8c546ceef9003ee8c607d39
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-61928
reference_id CVE-2025-61928
reference_type
scores
0
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-61928
4
reference_url https://github.com/advisories/GHSA-99h5-pjcv-gr6v
reference_id GHSA-99h5-pjcv-gr6v
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-99h5-pjcv-gr6v
5
reference_url https://github.com/better-auth/better-auth/security/advisories/GHSA-99h5-pjcv-gr6v
reference_id GHSA-99h5-pjcv-gr6v
reference_type
scores
0
value 8.6
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value 9.3
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track*
scoring_system ssvc
scoring_elements SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2025-10-10T14:23:17Z/
url https://github.com/better-auth/better-auth/security/advisories/GHSA-99h5-pjcv-gr6v
fixed_packages
0
url pkg:npm/better-auth@1.3.26
purl pkg:npm/better-auth@1.3.26
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-hv9u-qvqb-c3by
1
vulnerability VCID-wvwj-npt5-qye2
2
vulnerability VCID-z32n-9h42-cbd3
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/better-auth@1.3.26
aliases CVE-2025-61928, GHSA-99h5-pjcv-gr6v
risk_score 4.2
exploitability 0.5
weighted_severity 8.4
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xcfr-utg2-u7a8
4
url VCID-z32n-9h42-cbd3
vulnerability_id VCID-z32n-9h42-cbd3
summary Better Auth affected by external request basePath modification DoS
references
0
reference_url https://github.com/better-auth/better-auth
reference_id
reference_type
scores
0
value 2.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/better-auth/better-auth
1
reference_url https://github.com/better-auth/better-auth/releases/tag/v1.4.2
reference_id
reference_type
scores
0
value 2.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P
1
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/better-auth/better-auth/releases/tag/v1.4.2
2
reference_url https://github.com/advisories/GHSA-569q-mpph-wgww
reference_id GHSA-569q-mpph-wgww
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-569q-mpph-wgww
3
reference_url https://github.com/better-auth/better-auth/security/advisories/GHSA-569q-mpph-wgww
reference_id GHSA-569q-mpph-wgww
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
1
value 2.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P
2
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/better-auth/better-auth/security/advisories/GHSA-569q-mpph-wgww
fixed_packages
0
url pkg:npm/better-auth@1.4.2
purl pkg:npm/better-auth@1.4.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-hv9u-qvqb-c3by
1
vulnerability VCID-wvwj-npt5-qye2
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/better-auth@1.4.2
aliases GHSA-569q-mpph-wgww
risk_score 1.4
exploitability 0.5
weighted_severity 2.7
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-z32n-9h42-cbd3
Fixing_vulnerabilities
Risk_score4.5
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/better-auth@1.2.5-beta.10