VYPR
Get started
← All advisories
Critical severityOSV Advisory· Published Oct 9, 2025· Updated Apr 15, 2026

CVE-2025-61928

CVE-2025-61928

Description

Better Auth is an authentication and authorization library for TypeScript. In versions prior to 1.3.26, unauthenticated attackers can create or modify API keys for any user by passing that user's id in the request body to the api/auth/api-key/create route. session?.user ?? (authRequired ? null : { id: ctx.body.userId }). When no session exists but userId is present in the request body, authRequired becomes false and the user object is set to the attacker-controlled ID. Server-only field validation only executes when authRequired is true (lines 280-295), allowing attackers to set privileged fields. No additional authentication occurs before the database operation, so the malicious payload is accepted. The same pattern exists in the update endpoint. This is a critical authentication bypass enabling full an unauthenticated attacker can generate an API key for any user and immediately gain complete authenticated access. This allows the attacker to perform any action as the victim user using the api key, potentially compromise the user data and the application depending on the victim's privileges. Version 1.3.26 contains a patch for the issue.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
better-authnpm
< 1.3.261.3.26

Affected products

1

Patches

1
556085067609

fix: [security] api keys should properly check if a request is from client or server

https://github.com/better-auth/better-authBereket EngidaOct 3, 2025via ghsa
commit
2 files changed · +37 5
  • packages/better-auth/src/plugins/api-key/api-key.test.ts+26 3 modified
    @@ -98,6 +98,30 @@ describe("api-key", async () => {
 		expect(res.error?.body.message).toEqual(ERROR_CODES.UNAUTHORIZED_SESSION);
 	});
 
+	it("should fail to create api keys from the client if user id is provided", async () => {
+		const { headers, user } = await signInWithTestUser();
+		const response = await client.apiKey.create({
+			userId: user.id,
+		});
+		expect(response.error?.status).toBe(401);
+		const newUser = await auth.api.signUpEmail({
+			body: {
+				email: "new-email@email.com",
+				password: "password",
+				name: "test-name",
+			},
+		});
+		const response2 = await client.apiKey.create(
+			{
+				userId: newUser.user.id,
+			},
+			{
+				headers,
+			},
+		);
+		expect(response2.error?.status).toBe(401);
+	});
+
 	it("should successfully create API keys from server with userId", async () => {
 		const apiKey = await auth.api.createApiKey({
 			body: {
@@ -165,7 +189,7 @@ describe("api-key", async () => {
 		const { user } = await signInWithTestUser();
 		let err: any;
 		try {
-			const apiKeyResult = await auth.api.createApiKey({
+			await auth.api.createApiKey({
 				body: {
 					userId: user.id,
 				},
@@ -1947,8 +1971,8 @@ describe("api-key", async () => {
 				permissions,
 				userId: user.id,
 			},
-			headers,
 		});
+
 		const apiKeyResults = await auth.api.getApiKey({
 			query: {
 				id: apiKey.id,
@@ -1971,7 +1995,6 @@ describe("api-key", async () => {
 				permissions,
 				userId: user.id,
 			},
-			headers,
 		});
 		const apiKeyResults = await auth.api.verifyApiKey({
 			body: {
  • packages/better-auth/src/plugins/api-key/routes/create-api-key.ts+11 2 modified
    @@ -268,15 +268,24 @@ export function createApiKey({
 			} = ctx.body;
 
 			const session = await getSessionFromCtx(ctx);
-			const authRequired = (ctx.request || ctx.headers) && !ctx.body.userId;
+			const authRequired = ctx.request || ctx.headers;
 			const user =
-				session?.user ?? (authRequired ? null : { id: ctx.body.userId });
+				authRequired && !session
+					? null
+					: session?.user || { id: ctx.body.userId };
+
 			if (!user?.id) {
 				throw new APIError("UNAUTHORIZED", {
 					message: ERROR_CODES.UNAUTHORIZED_SESSION,
 				});
 			}
 
+			if (session && ctx.body.userId && session?.user.id !== ctx.body.userId) {
+				throw new APIError("UNAUTHORIZED", {
+					message: ERROR_CODES.UNAUTHORIZED_SESSION,
+				});
+			}
+
 			if (authRequired) {
 				// if this endpoint was being called from the client,
 				// we must make sure they can't use server-only properties.

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

0

No linked articles in our index yet.