chore(deps): update dependency better-auth to v1.3.26 [security] #2468

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Open

renovate wants to merge 1 commit into master from renovate/npm-better-auth-vulnerability

Contributor

renovate bot commented Oct 9, 2025 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Confidence
better-auth (source)	`1.3.7` -> `1.3.26`

GitHub Vulnerability Alerts

CVE-2025-61928

Summary

Unauthenticated attackers can create or modify API keys for any user by passing that user's id in the request body to the api/auth/api-key/create route.

Details

The vulnerability exists in the authentication logic at when checking for user authentication then derives the user as session?.user ?? (authRequired ? null : { id: ctx.body.userId }). When no session exists but userId is present in the request body, authRequired becomes false and the user object is set to the attacker-controlled ID. Server-only field validation only executes when authRequired is true (lines 280-295), allowing attackers to set privileged fields. No additional authentication occurs before the database operation, so the malicious payload is accepted. The same pattern exists in the update endpoint.

PoC

curl -X POST http://localhost:3000/api/auth/api-key/create \
   -H 'Content-Type: application/json' \
   -d '{
         "userId": "victim-user-id",
         "name": "zeropath"
       }'

Response contains the new API key whose userId matches the victim, confirming the bypass.

Impact

This is a critical authentication bypass enabling full an unauthenticated attacker can generate an API key for any user and immediately gain complete authenticated access. This allows the attacker to perform any action as the victim user using the api key, potentially compromise the user data and the application depending on the victim's privileges.

This issue was found by ZeroPath.

Release Notes

better-auth/better-auth (better-auth)

`v1.3.26`

🐞 Bug Fixes

[security] api keys should properly check if a request is from client or server - by @Bekacru (55608)
api-key: Shouldn't issue api key a mock session by default - by @Bekacru (a49e5)

View changes on GitHub

`v1.3.25`

🚀 Features

Additional fields on account - by @dvanmali in #4935 (f148f)
Add support for custom callback for token url - by @acusti in #5027 (3f668)
captcha: Add support for CaptchaFox - by @tgrassl in #4944 (b6119)
cli: Add mcp client configs from cli - by @Kinfe123 and @himself65 in #4872 (e1082)

🐞 Bug Fixes

Support compressed ipv6 format - by @Velka-DEV in #4982 (c2f27)
Add required constraint to slug filed in org plugin - by @bytaesu in #4989 (39189)
Use consistent messaging on requestPasswordReset - by @Eazash in #5014 (d6224)
Cookie size limit shouldn't throw error - by @Bekacru and @himself65 in #5031 (dece5)
Handle symbols in proxy get trap to prevent TypeError - by @zbeyens and @himself65 in #4924 (85f3b)
Ttl for rate limited secondary storage - by @dvanmali in #4961 (45cd3)
adapter:
- Use updated field values in WHERE clause during update - by @QuintenStr and @ping-maxwell in #5004 (3e298)
- Foreign keys that are nullable on number ids can return string of null - by @ping-maxwell in #5036 (84e99)
api-key:
- Correct refill interval time calculation - by @Pankaj3112 and @himself65 in #4871 (64ac8)
client:
- Add lynx client exports - by @JagritGumber in #4950 (70202)
device-authorization:
- Fix client error type for deny device - by @3ddelano in #5022 (ec788)
last-login-method:
- Custom resolver method default logic - by @ThibautCuchet in #4821 (2616e)
oauth-proxy:
- Should skip state check for oauth proxy - by @Bekacru in #4991 (a3c1d)
oidc:
- Properly enforce consent requirements per OIDC spec - by @himself65 in #4974 (20704)
org:
- Update type to include undefined - by @himself65 in #5003 (cce9e)
sso:
- Safe json parsing for saml/oidc configs - by @natetewelde and @himself65 in #4858 (d09c7)
- Prevent duplicate SSO provider creation with same providerId - by @xiaoyu2er in #5033 (cfe64)
stripe:
- Update with an existing subscription - by @himself65 in #4988 (6a288)
- Sync customer email on db change - by @himself65 in #4995 (cdd7b)
- getCustomerCreateParams not actually being called - by @ebalo55 and @himself65 in #5019 (cdd6f)

🏎 Performance

Lazy load create telemetry - by @himself65 in #5007 (e05ce)

View changes on GitHub

`v1.3.24`

🚀 Features

Add support for custom callback for authorization url - by @Bekacru in #4919 (458cb)

🐞 Bug Fixes

Refresh secondary storage sessions on user update - by @frectonz in #4522 (80b8c)
cli: Timestamp in schema for Drizzle with SQLite - by @zy1p in #4622 (cee5a)
db: onDelete is ignored - by @himself65 in #4973 (aba9a)
deps: Update dependency @nanostores/react to v1 - in #4963 (483f6)

🏎 Performance

Improve type Auth - by @himself65 in #4930 (574b9)

View changes on GitHub

`v1.3.23`

`v1.3.22`

`v1.3.21`

`v1.3.20`

`v1.3.19`

🐞 Bug Fixes

getSession shouldn't expose options and path types - by @Bekacru in #4947 (633a7)

View changes on GitHub

`v1.3.18`

🐞 Bug Fixes

Ttl sessions list expiration - by @dvanmali in #3836 (71129)
Tests failing due to clock drift - by @dvanmali in #4915 (8351c)
Moved email verification check after password check - by @QuintenStr in #4835 (0088c)
cli: DefaultNow is deprecated in schema for Drizzle with SQLite - by @himself65 in #4889 (e979f)
custom-session: Don't overwrite the Set-Cookie header - by @frectonz in #4388 (15b00)
email-otp: Call reset password callback - by @HoshangDEV in #4818 (45101)

View changes on GitHub

`v1.3.17`

🚀 Features

sso: Provide default service provider metadata - by @dvanmali in #4866 (4a9d1)

🐞 Bug Fixes

nuxt: Avoid load env base url for SSR - by @himself65 in #4887 (15cc7)

View changes on GitHub

`v1.3.16`

No significant changes

View changes on GitHub

`v1.3.15`

🐞 Bug Fixes

types: Include null in getSession return type - by @jcajuab in #4812 (d447c)

View changes on GitHub

`v1.3.14`

🚀 Features

passkey: Allow multiple passkey origins - by @kevcube in #4800 (d9601)
sso: DefaultSSO options and ACS endpoint - by @Kinfe123 and Bereket Engida in #3660 (348f3)

🐞 Bug Fixes

Wrap Math.floor around the division when calculating TTL - by @DevDuki, Dusan Misic, ping-maxwell and @himself65 in #4768 (08da9)
api-key:
- Calling client on server side - by @himself65 in #4777 (d384e)
mcp:
- Missing Content-Type header for mcp DCR - by @Berndwl in #4763 (a6b2e)
organization:
- Pass ctx to DB hooks - by @ping-maxwell in #4769 (39c21)
- Allow passing id through beforeCreateOrganization - by @ping-maxwell in #4765 (25a43)
username:
- Username should respect send on sign config - by @QuintenStr in #4799 (ac49e)

View changes on GitHub

`v1.3.13`

🚀 Features

Add returnHeaders to getSession - by @frectonz in #3983 (8a4b3)
last-login-method: Update OAuth login method tracking for multiple auth type - by @Kinfe123 in #4693 (c03fd)

🐞 Bug Fixes

client: BaseURL is undefined for SSR - by @himself65 in #4760 (c1514)
organization: Remove autoCreateOnSignUp option as it's not implemented yet - by @Bekacru in #4755 (21bd4)
passkey: Remove email from query - by @himself65 in #4740 (8709a)

View changes on GitHub

`v1.3.12`

🚀 Features

discord: Allow specification of permissions - by @TheUntraceable and @Bekacru in #4717 (c6e33)
email-otp: Allow returning undefined in generateOTP - by @ping-maxwell in #4723 (11dbf)

🐞 Bug Fixes

Device authorization plugin - by @bytaesu in #4695 (578a6)
Reduce any type in generator.ts - by @himself65 in #4710 (fd29b)
Refresh secondary storage sessions on user update - by @frectonz in #4522 (c3354)
Allow disable database transaction - by @himself65 in #4733 (7efd1)
adapter:
- Returning null as string for optional id references - by @jslno in #4713 (c6e5d)
api-key:
- Cascade api keys on user deletion - by @ping-maxwell in #4703 (62b50)
create-adapter:
- Disable transaction by default - by @ping-maxwell in #4750 (4a434)
organization:
- Decouple client and server permission checks - by @Bekacru in #4707 (adfc4)
- Membership check for organizations with large member counts - by @Badbird5907 and @himself65 in #4724 (97b02)
stripe:
- OnCustomerCreate should be called even if update user isn't returned - by @Bekacru in #4716 (d3509)

View changes on GitHub

`v1.3.11`

🚀 Features

Flip emailVerified when link the account - by @himself65 in #4621 (cf2ca)

🐞 Bug Fixes

Check if user exists before banning the user - by @anmol-fzr, KinfeMichael Tariku and @himself65 in #4649 (283c2)
Timestamp issues in kysely - by @frectonz and @himself65 in #4542 (e5874)
Respect errorCallbackURL in failed oauth flows - by @frectonz in #4650 (43545)
plugins: Asynchronous init - by @LightTab2 and @himself65 in #4680 (9d216)

View changes on GitHub

`v1.3.10`

Maintenance update: We fixed lots of issues from the community. Thanks to everyone for contributing to better-auth.

🚀 Features

Add getActiveRoleMember - by @fathisiddiqi, @Kinfe123 and @himself65 in #4484 (f6f19)
Database transaction support - by @himself65 and Joel Solano in #4414 (22c39)
logger: Option to disable colors - by @martiinii and @himself65 in #4402 (53076)
passkey: Error codes in passkey client - by @frectonz, @Kinfe123 and @Bekacru in #3966 (4b2f5)
sqlite: Remove autoincrement for SQLite - by @pspeter3 in #4466 (f2c9d)

🐞 Bug Fixes

Ignore cookiecache on auth sensitive functions - by @Kinfe123 in #4530 (e2a95)
Custom field for refreshTokenExpiresAt - by @himself65 in #4569 (cc007)
Return local IP in development mode - by @DiiiaZoTe and @himself65 in #2511 (b4ad6)
Make cookie cache respect dontRememberMe mode - by @frectonz in #4558 (acb28)
Normalize zod imports - by @gabrielmar in #4593 (adbfc)
Check endpoint conflicts respect method - by @himself65 in #4595 (60930)
Respect username validator - by @azaek and @himself65 in #3669 (b8bed)
Set clientId in ProviderOptions to unknown by default - by @himself65 in #4596 (78250)
Pick the first clientId for oauth provider - by @himself65 in #4598 (8df46)
Remove use of global.crypto - by @himself65 in #4606 (ef450)
Should infer types correctly when empty list of plugins is provided - by @frectonz in #4612 (08fa1)
Correct MongoDB adapter import path in CLI - by @aajeeth-m in #4602 (58963)
Make sure fetch function doesn't get called repeatedly on onMount - by @frectonz in #4669 (9d6e4)
Prevent lastLoginMethod plugin from setting cookie on failed auth - by @Kinfe123 in #4673 (e297c)
admin:
- Change the order of role and user id check when both are provider on userHasPermission - by @Bekacru in #4653 (29c57)
anonymous:
- Prevent false positive error on first anonymous sign-in - by @ajanraj and @himself65 in #3662 (96804)
cli:
- info shows the correct version - by @himself65 in #4547 (7faae)
- Add missing JSON type to schema generation - by @TheGB0077 and @Kinfe123 in #4494 (20e87)
demo:
- Update forgot password link to /forget-password - by @GivenBY in #4567 (94450)
docs:
- Remove duplicated RFC compliance mention - by @TheUntraceable in #4581 (5f80c)
expo:
- window.crypto is undefined - by @himself65 in #4620 (7dbc5)
- Missing peer deps - by @himself65 in #4617 (16160)
lastLoginMethod:
- Inherit cross-subdomain cookie settings in lastLoginMethod plugin - by @lumpinif in #4572 (78424)
memory-adapter:
- Should respect where connector - by @jslno in #4549 (784db)
multi-session:
- Multi-session cookie name preface preventing multiple accounts signed in - by @PacifismPostMortem in #4505 (8eb64)
one-time-token:
- Typo and clean - by @gabrielmar in #4579 (01365)
organization:
- checkRolePermission shouldn't be a promise - by @ping-maxwell in #4533 (abfc4)
- Member and team hooks should apply on create organization - by @Bekacru in #4600 (7fc23)
- Before org create hooks not applying customized data - by @Bekacru in #4623 (da9b8)
- [security] updateOrgRole should check for userId properly - by @Bekacru (12a9d)
- Restrict role check by user id - by @himself65 in #4641 (f5fd8)
prisma:
- Handle optional field relation types correctly - by @LiYulin-s in #4630 (80b73)
stripe:
- Properly resolve plans by lookup keys - by @AlexProgrammerDE in #4499 (b531d)
- Subscription is created without completing payment - by @himself65 in #4548 (e663f)
- Prevent multiple free trials for same user - by @RikhiSingh in #4562 (1bb12)
- Use correct request method for billing-portal - by @danielepintore in #4613 (9f23e)
tiktok:
- Remove client_secrect from authorizationUrl - by @arslan2012 in #4511 (71aeb)
username:
- Add missing normalization - by @bortoz and @himself65 in #3636 (9d316)
- Sign in should work with post normalization - by @Bekacru and @himself65 in #4599 (b2dfb)
vue:
- Correct baseURL - by @himself65 in #4578 (90ea9)

View changes on GitHub

`v1.3.9`

🚀 Features

Add support for not in operator - by @Bekacru in #4449 (1651f)
Lynx integration - by @himself65 in #4470 (9589c)
mcp: Customize resource in protected resource metadata - by @frectonz in #4419 (d4459)
rate-limiter: Allow disabling custom paths to not be rate limited - by @Bekacru in #4502 (693c8)

🐞 Bug Fixes

Cloudflare build warning with node:sqlite - by @himself65 in #4415 (14ad4)
Shouldn't update personal sub when upgrading with org ref id - by @Bekacru in #4435 (9d8f7)
Properly generate OpenAPI schema for nested ZodObject and ZodOptional - by @Kinfe123 in #4489 (5f996)
Respect allow different email linking option on callbacks - by @Bekacru in #4504 (6c35a)
expo: Handle link social - by @frectonz in #4420 (d42cc)
jwt: Revert set default iat for /token endpoint - by @dvanmali in #4501 (8f80a)
mcp: Remove duplicate /api/auth from wwwAuthenticateValue and properly format the header - by @paoloricciuti in #4462 (4b364)
org: List user teams had incorrect path method in jsdoc - by @ping-maxwell in #4446 (ad28a)
paypal: Use base64.encode - by @himself65 in #4527 (4ebc6)
stripe: Prevent multiple free trials - by @hendrik-krebs in #4432 (32546)
tiktok: Refresh token flow uses client_key - by @Manokii in #4437 (d8145)

View changes on GitHub

`v1.3.8`

🚀 Features

Support to infer error types from endpoint - by @himself65 in #4095 (48f91)
Support node:sqlite - by @himself65 in #3869 (fc8a2)
Remote sign a jwt payload - by @dvanmali and @himself65 in #4074 (c05b1)
Support device authorization - by @himself65 in #3811 (5ded0)
Support custom schema merging in SIWE plugin - by @himself65 in #4138 (09a04)
Add figma provider - by @ShobhitPatra and @Kinfe123 in #4134 (d476f)
Enhance Microsoft Entra ID type definitions - by @Kinfe123 in #3806 (492b5)
Add onUpdate field on db schema generation - by @himself65 in #4241 (240ef)
Add onInvitationAccepted callback for org invitations - by @Kinfe123 in #4120 (cac8b)
Add query parameter to useSession().refetch() for cache control consistency - by @adriandlam and @himself65 in #3890 (8fdc7)
Add last login method plugin - by @Bekacru in #4347 (2db14)
Check endpoint conflits - by @himself65 in #4288 (b4f0c)
Add json field type - by @dvanmali in #4297 (94a28)
Add @default and @updatedAt for prisma generator - by @himself65 in #4375 (c84b3)
Use defaultNow() for drizzle timestamp fields - by @Badbird5907 and @himself65 in #3873 (9fb9b)
admin:
- Get user - by @0xJJW, @ping-maxwell and ping-maxwell in #2587 (cf7f2)
- /admin/update-user role as array - by @alliefitter in #4371 (6c00b)
atlassian:
- Add atlassian social provider - by @ShobhitPatra in #4221 (e1552)
cli:
- Add info script - by @himself65 in #4143 (79311)
cognito:
- Add amazon cognito provider - by @ShobhitPatra in #4229 (02752)
demo:
- Improve sign-up component - by @himself65 in #3789 (d4c15)
jwt:
- Add disableSettingJwtHeader flag to prevent issuance of signed jwt - by @dvanmali in #4072 (4b8a2)
- Jwks remote url - by @dvanmali in #4071 (74ccf)
mcp:
- Add protected-resource metadata endpoint - by @frectonz and @himself65 in #4394 (f937c)
microsoft:
- Add support for setting authority - by @Stadly in #4149 (f4c41)
openapi:
- Support Scalar Theme - by @bytaesu in #4355 (9db29)
org:
- Dynamic Access Control - by @ping-maxwell and @himself65 in #4087 (11bb6)
organization:
- Organization life cycle hooks - by @Bekacru and @ping-maxwell in #4049 (bba0a)
paypal:
- Add paypal OAuth2 provider - by @ShobhitPatra in [#4107](https://redirect.gith

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

safedep bot commented Oct 9, 2025 •

edited

Loading

SafeDep Report Summary

⚠ 1 packages are identified as suspicious, human review is recommended.

Package Details

Package	Malware	Vulnerability	Risky License	Report
`better-auth @ 1.3.26` _{pnpm-lock.yaml}				🔗
`@better-auth/core @ 1.3.26` _{pnpm-lock.yaml}				🔗
`@better-auth/utils @ 0.3.0` _{pnpm-lock.yaml}				🔗
`@napi-rs/wasm-runtime @ 1.0.7` _{pnpm-lock.yaml}				🔗
`@noble/ciphers @ 2.0.1` _{pnpm-lock.yaml}				🔗
`@noble/hashes @ 2.0.1` _{pnpm-lock.yaml}				🔗
`@oxc-project/types @ 0.95.0` _{pnpm-lock.yaml}				🔗
`@rolldown/binding-android-arm64 @ 1.0.0-beta.44` _{pnpm-lock.yaml}				🔗
`@rolldown/binding-darwin-arm64 @ 1.0.0-beta.44` _{pnpm-lock.yaml}				🔗
`@rolldown/binding-darwin-x64 @ 1.0.0-beta.44` _{pnpm-lock.yaml}				🔗
`@rolldown/binding-freebsd-x64 @ 1.0.0-beta.44` _{pnpm-lock.yaml}				🔗
`@rolldown/binding-linux-arm-gnueabihf @ 1.0.0-beta.44` _{pnpm-lock.yaml}				🔗
`@rolldown/binding-linux-arm64-gnu @ 1.0.0-beta.44` _{pnpm-lock.yaml}				🔗
`@rolldown/binding-linux-arm64-musl @ 1.0.0-beta.44` _{pnpm-lock.yaml}				🔗
`@rolldown/binding-linux-x64-gnu @ 1.0.0-beta.44` _{pnpm-lock.yaml}				🔗
`@rolldown/binding-linux-x64-musl @ 1.0.0-beta.44` _{pnpm-lock.yaml}				🔗
`@rolldown/binding-openharmony-arm64 @ 1.0.0-beta.44` _{pnpm-lock.yaml}				🔗
`@rolldown/binding-wasm32-wasi @ 1.0.0-beta.44` _{pnpm-lock.yaml}				🔗
`@rolldown/binding-win32-arm64-msvc @ 1.0.0-beta.44` _{pnpm-lock.yaml}				🔗
`@rolldown/binding-win32-ia32-msvc @ 1.0.0-beta.44` _{pnpm-lock.yaml}				🔗
`@rolldown/binding-win32-x64-msvc @ 1.0.0-beta.44` _{pnpm-lock.yaml}				🔗
`@rolldown/pluginutils @ 1.0.0-beta.44` _{pnpm-lock.yaml}				🔗
`jose @ 6.1.0` _{pnpm-lock.yaml}				🔗
`nanostores @ 1.0.1` _{pnpm-lock.yaml}				🔗
`rolldown @ 1.0.0-beta.44` _{pnpm-lock.yaml}				🔗

_{This report is generated by SafeDep Github App}


          chore(deps): update dependency better-auth to v1.3.26 [security]

d3815b9

renovate bot force-pushed the renovate/npm-better-auth-vulnerability branch from 3e50cf5 to d3815b9 Compare

October 21, 2025 23:38

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet