Search for vulnerabilities
| Vulnerability ID | VCID-hv9u-qvqb-c3by |
| Aliases |
GHSA-xg6x-h9c9-2m83
|
| Summary | Better Auth Has Two-Factor Authentication Bypass via Premature Session Caching (session.cookieCache) ### Summary Under certain configurations, sessions may be considered valid before two-factor authentication (2FA) is fully completed. This can allow access to authenticated routes without verifying the second factor. --- ### Description When two-factor authentication is enabled, the authentication flow correctly identifies users who require additional verification and defers full authentication until the second factor is completed. However, when `session.cookieCache` is enabled, the session generated during the initial sign-in step may be cached as valid **prior to 2FA verification**. Subsequent session lookups may then return this cached session without re-evaluating the 2FA requirement. This results in a situation where session validity can be established before all authentication constraints are satisfied. --- ### Impact An attacker (or user) with valid primary credentials may gain access to protected application routes without completing the required second authentication factor. Any application using `better-auth` with both two-factor authentication and session cookie caching enabled may be affected. --- ### Mitigation * Upgrade to a version of `better-auth` that includes the fix for this issue. * Ensure that session caching does not treat sessions as fully authenticated until all required authentication steps, including 2FA, are completed. * As a temporary workaround, disable `session.cookieCache` when using two-factor authentication. |
| Status | Published |
| Exploitability | None |
| Weighted Severity | None |
| Risk | None |
| Affected and Fixed Packages | Package Details |
| System | Score | Found at |
|---|---|---|
| cvssv4 | 9.1 | https://github.com/better-auth/better-auth |
| generic_textual | CRITICAL | https://github.com/better-auth/better-auth |
| cvssv4 | 9.1 | https://github.com/better-auth/better-auth/security/advisories/GHSA-xg6x-h9c9-2m83 |
| generic_textual | CRITICAL | https://github.com/better-auth/better-auth/security/advisories/GHSA-xg6x-h9c9-2m83 |
| Reference id | Reference type | URL |
|---|---|---|
| https://github.com/better-auth/better-auth | ||
| https://github.com/better-auth/better-auth/security/advisories/GHSA-xg6x-h9c9-2m83 | ||
| GHSA-xg6x-h9c9-2m83 | https://github.com/advisories/GHSA-xg6x-h9c9-2m83 |
| Attack Vector (AV) | Attack Complexity (AC) | Attack Requirements (AT) | Privileges Required (PR) | User Interaction (UI) | Vulnerable System Impact Confidentiality (VC) | Vulnerable System Impact Integrity (VI) | Vulnerable System Impact Availability (VA) | Subsequent System Impact Confidentiality (SC) | Subsequent System Impact Integrity (SI) | Subsequent System Impact Availability (SA) |
|---|---|---|---|---|---|---|---|---|---|---|
network adjacent local physical |
low high |
none present |
none low high |
none passive active |
high low none |
high low none |
high low none |
high low none |
high low none |
high low none |
| Attack Vector (AV) | Attack Complexity (AC) | Attack Requirements (AT) | Privileges Required (PR) | User Interaction (UI) | Vulnerable System Impact Confidentiality (VC) | Vulnerable System Impact Integrity (VI) | Vulnerable System Impact Availability (VA) | Subsequent System Impact Confidentiality (SC) | Subsequent System Impact Integrity (SI) | Subsequent System Impact Availability (SA) |
|---|---|---|---|---|---|---|---|---|---|---|
network adjacent local physical |
low high |
none present |
none low high |
none passive active |
high low none |
high low none |
high low none |
high low none |
high low none |
high low none |
No EPSS data available for this vulnerability.
| Date | Actor | Action | Source | VulnerableCode Version |
|---|---|---|---|---|
| 2026-06-12T07:46:31.704792+00:00 | GithubOSV Importer | Import | https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-xg6x-h9c9-2m83/GHSA-xg6x-h9c9-2m83.json | 38.6.0 |