npm package
better-auth
pkg:npm/better-auth
Vulnerabilities (6)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-45337 | hig | — | >= 1.6.0, < 1.6.11 | 1.6.11 | Jun 4, 2026 | ### Am I affected? You are affected if all of the following are true: - You use `better-auth` at a version `>= 1.6.0, < 1.6.11`. - The `deviceAuthorization` plugin is enabled in your auth config (`deviceAuthorization()` in your `plugins` array). - A third party can observe a pe | |
| CVE-2026-45364 | Hig | 7.3 | < 1.4.17 | 1.4.17 | May 28, 2026 | Better Auth is an authentication and authorization library for TypeScript. Prior to 1.4.17 and 1.5.0-beta.9, Better Auth's HTTP rate limiter keyed each request by the exact textual IP address it received in x-forwarded-for (or the configured IP-bearing header). IPv6 clients contr | |
| CVE-2025-61928 | Cri | — | < 1.3.26 | 1.3.26 | Oct 9, 2025 | Better Auth is an authentication and authorization library for TypeScript. In versions prior to 1.3.26, unauthenticated attackers can create or modify API keys for any user by passing that user's id in the request body to the `api/auth/api-key/create` route. `session?.user ?? (au | |
| CVE-2025-53535 | Low | — | < 1.2.10 | 1.2.10 | Jul 7, 2025 | Better Auth is an authentication and authorization library for TypeScript. An open redirect has been found in the originCheck middleware function, which affects the following routes: /verify-email, /reset-password/:token, /delete-user/callback, /magic-link/verify, /oauth-proxy-ca | |
| CVE-2025-27143 | — | < 1.1.20 | 1.1.20 | Feb 24, 2025 | Better Auth is an authentication and authorization library for TypeScript. Prior to version 1.1.21, the application is vulnerable to an open redirect due to improper validation of the callbackURL parameter in the email verification endpoint and any other endpoint that accepts cal | ||
| CVE-2024-56734 | — | < 1.1.6 | 1.1.6 | Dec 30, 2024 | Better Auth is an authentication library for TypeScript. An open redirect vulnerability has been identified in the verify email endpoint of all versions of Better Auth prior to v1.1.6, potentially allowing attackers to redirect users to malicious websites. This issue affects user |
- affected >= 1.6.0, < 1.6.11fixed 1.6.11
### Am I affected? You are affected if all of the following are true: - You use `better-auth` at a version `>= 1.6.0, < 1.6.11`. - The `deviceAuthorization` plugin is enabled in your auth config (`deviceAuthorization()` in your `plugins` array). - A third party can observe a pe
- affected < 1.4.17fixed 1.4.17
Better Auth is an authentication and authorization library for TypeScript. Prior to 1.4.17 and 1.5.0-beta.9, Better Auth's HTTP rate limiter keyed each request by the exact textual IP address it received in x-forwarded-for (or the configured IP-bearing header). IPv6 clients contr
- affected < 1.3.26fixed 1.3.26
Better Auth is an authentication and authorization library for TypeScript. In versions prior to 1.3.26, unauthenticated attackers can create or modify API keys for any user by passing that user's id in the request body to the `api/auth/api-key/create` route. `session?.user ?? (au
- affected < 1.2.10fixed 1.2.10
Better Auth is an authentication and authorization library for TypeScript. An open redirect has been found in the originCheck middleware function, which affects the following routes: /verify-email, /reset-password/:token, /delete-user/callback, /magic-link/verify, /oauth-proxy-ca
- CVE-2025-27143Feb 24, 2025affected < 1.1.20fixed 1.1.20
Better Auth is an authentication and authorization library for TypeScript. Prior to version 1.1.21, the application is vulnerable to an open redirect due to improper validation of the callbackURL parameter in the email verification endpoint and any other endpoint that accepts cal
- CVE-2024-56734Dec 30, 2024affected < 1.1.6fixed 1.1.6
Better Auth is an authentication library for TypeScript. An open redirect vulnerability has been identified in the verify email endpoint of all versions of Better Auth prior to v1.1.6, potentially allowing attackers to redirect users to malicious websites. This issue affects user