Better-auth account takeover (CVE-2025-61928) found via ZeroPath(zeropath.com)
zeropath.com
Better-auth account takeover (CVE-2025-61928) found via ZeroPath
https://zeropath.com/blog/breaking-authentication-unauthenticated-api-key-creation-in-better-auth-cve-2025-61928
4 comments
Interesting, wonder how long this has been latent for
this is actually insane how far AI SAST like ZeroPath and others have come
this is actually so cool
The vulnerability is a logic error in how the API keys plugin determines user context when a userId is specified. Fix is in version 1.3.26. This is the kind of business logic flaw that traditional dependency vetting (stars, existing CVEs, reputation) doesn't catch. We're working on tooling to make these audits more practical at scale.