CVE-2025-61928
BaseFortify
Publication date: 2025-10-09
Last updated on: 2025-10-14
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| better-auth | better-auth | 1.3.26 |
| better-auth | better-auth | 1.3.25 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-285 | The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action. |
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in Better Auth versions prior to 1.3.26 allows unauthenticated attackers to create or modify API keys for any user by supplying that user's ID in the request body to certain API endpoints. Because the system incorrectly sets authentication requirements based on the presence of a userId in the request body rather than a valid session, attackers can bypass authentication checks and set privileged fields without proper validation. This leads to a critical authentication bypass where attackers can generate API keys for any user and gain full authenticated access as that user.
How can this vulnerability impact me? :
An attacker exploiting this vulnerability can generate API keys for any user without authentication, allowing them to perform any action as the victim user. This can lead to unauthorized access to sensitive user data, manipulation of user accounts, and potentially full compromise of the application depending on the victim's privileges.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Better Auth to version 1.3.26 or later, which contains a patch for this critical authentication bypass vulnerability.