A extreme vulnerability within the widespread better-auth library’s API keys plugin allows attackers to generate privileged credentials for any person with out authentication.
Dubbed CVE-2025-61928, the difficulty impacts better-auth, a TypeScript authentication framework downloaded round 300,000 occasions weekly on npm.
This flaw may result in widespread account compromises, significantly for purposes counting on API keys for automated entry. Higher-auth powers authentication for fast-growing startups and main enterprises, together with power large Equinor.
Its plugin structure simplifies including options like API key administration, however a refined bug within the authorization logic opened the door to exploitation.
ZeroPath uncovered the vulnerability throughout scans of third-party dependencies, highlighting dangers in authentication libraries that underpin total utility ecosystems.
Higher Auth API Keys Vulnerability
The issue lies within the createApiKey handler throughout the plugin. Usually, it derives person context from an energetic session to implement safety checks.
Nonetheless, when a request lacks a session however features a userId within the physique, the code units an “authRequired” flag to false. This skips essential validations, permitting the handler to manufacture a person object from attacker-supplied knowledge.
In consequence, unauthenticated attackers can POST to the /api/auth/api-key/create endpoint with a goal person’s ID, identify, and elective privileged fields like charge limits or permissions.
The response returns a sound API key tied to the sufferer’s account, bypassing multi-factor authentication and enabling scripted takeovers. The identical logic impacts replace endpoints, amplifying the chance.
API keys typically grant long-lived, elevated privileges for automation, making this vulnerability significantly harmful. Attackers may impersonate customers, entry delicate knowledge, or automate malicious actions throughout providers.
Solely deployments with the API keys plugin are impacted, however given better-auth’s adoption, publicity is important. To mitigate, improve instantly to better-auth model 1.3.26 or later, which fixes the authorization examine.
Rotate all API keys created through the plugin, invalidate unused ones, and audit logs for suspicious unauthenticated requests to create or replace endpoints, particularly these setting userId or high-privilege values.
The maintainers patched it swiftly after disclosure on October 2. The advisory (GHSA-99h5-pjcv-gr6v) was revealed on October 8 through GitHub, and the CVE was assigned the following day.
Observe us on Google Information, LinkedIn, and X for each day cybersecurity updates. Contact us to function your tales.
