A severe vulnerability in the better-auth API keys plugin has been identified, enabling attackers to generate privileged API keys without authentication. This flaw, cataloged as CVE-2025-61928, affects all versions of the library before 1.3.26, which is widely used across various industries.
Discovery of the Vulnerability
The vulnerability was detected on October 1, 2025, during an analysis by ZeroPath’s automated SAST scanner. The scanner reviewed the canary branch of better-auth while developing third-party dependency workflows for large corporations. The plugin, known for its approximately 300,000 weekly downloads, is integral for authentication processes in many companies, including Equinor.
Details of the Exploitation
ZeroPath found that the issue lies in the createApiKey handler of the API keys plugin. It incorrectly determines the need for authentication by checking for a session or a userId field. If no session is present but a userId is included in the request, it bypasses the essential validation, leading to potential account takeovers.
An attacker can exploit this by sending a crafted POST request to /api/auth/api-key/create with the target’s user ID, obtaining a valid API key. The same vulnerability extends to the updateApiKey handler, enhancing the risk of credential alteration.
Mitigation and Response
Organizations using the affected plugin should upgrade to version 1.3.26 or later to fix the issue. It is crucial to rotate all API keys generated during the vulnerable period and invalidate any unused credentials. Monitoring of application logs for unauthorized access attempts is recommended.
The maintainers of better-auth responded swiftly to the disclosure, releasing a patch within a day. The security advisory GHSA-99h5-pjcv-gr6v was published soon after, demonstrating a collaborative effort to address the vulnerability promptly.
This incident underlines the importance of regular updates and vigilance in monitoring system vulnerabilities. Users are encouraged to follow cybersecurity updates to stay informed about potential threats.
