CVE-2026-45364
Deferred Deferred - Pending Action
Rate Limiting Bypass via IPv6 in Better Auth

Publication date: 2026-05-28

Last updated on: 2026-06-01

Assigner: GitHub, Inc.

Description
Better Auth is an authentication and authorization library for TypeScript. Prior to 1.4.17 and 1.5.0-beta.9, Better Auth's HTTP rate limiter keyed each request by the exact textual IP address it received in x-forwarded-for (or the configured IP-bearing header). IPv6 clients controlling a typical /64 allocation could rotate through 2^64 distinct source addresses without exhausting the per-address counter, defeating rate limiting on /sign-in/email, /sign-up/email, /forget-password, and every other path the limiter protects. The same bug allowed a single client to vary the textual encoding of one IPv6 address (uppercase, compression, IPv4-mapped, hex-encoded IPv4-in-IPv6) and produce multiple distinct keys. This vulnerability is fixed in 1.4.17 and 1.5.0-beta.9.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-06-01
Generated
2026-06-19
AI Q&A
2026-05-29
EPSS Evaluated
2026-06-18
NVD
CVE-2026-45364
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
better_auth better_auth to 1.4.17|end_excluding=1.5.0-beta.9 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-307 The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Better Auth authentication and authorization library for TypeScript. The issue is with its HTTP rate limiter, which keys each request by the exact textual IP address found in the x-forwarded-for header or a configured IP-bearing header. IPv6 clients that control a typical /64 allocation can rotate through 2^64 different source addresses without exhausting the per-address rate limit counter. This allows them to bypass rate limiting on sensitive endpoints such as /sign-in/email, /sign-up/email, and /forget-password. Additionally, a single client can vary the textual encoding of one IPv6 address (using uppercase, compression, IPv4-mapped, or hex-encoded IPv4-in-IPv6 formats) to generate multiple distinct keys, further defeating the rate limiting mechanism. The vulnerability was fixed in versions 1.4.17 and 1.5.0-beta.9 of Better Auth.

Impact Analysis

This vulnerability can allow an attacker to bypass rate limiting protections on authentication-related endpoints by rotating through many IPv6 addresses or varying the textual representation of a single IPv6 address. This can lead to increased risk of brute force attacks on sign-in, sign-up, and password reset functionalities, potentially resulting in unauthorized access, account compromise, or denial of service due to resource exhaustion.

Mitigation Strategies

To mitigate this vulnerability, upgrade Better Auth to version 1.4.17 or later, or to 1.5.0-beta.9 or later. These versions contain the fix for the HTTP rate limiter issue that allowed IPv6 clients to bypass rate limiting by rotating through distinct source addresses or varying textual encoding.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45364. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart