A severe vulnerability in the popular better-auth library’s API keys plugin enables attackers to generate privileged credentials for any user without authentication.
Dubbed CVE-2025-61928, the issue affects better-auth, a TypeScript authentication framework downloaded around 300,000 times weekly on npm.
This flaw could lead to widespread account compromises, particularly for applications relying on API keys for automated access. Better-auth powers authentication for fast-growing startups and major enterprises, including energy giant Equinor.
Its plugin architecture simplifies adding features like API key management, but a subtle bug in the authorization logic opened the door to exploitation.
ZeroPath uncovered the vulnerability during scans of third-party dependencies, highlighting risks in authentication libraries that underpin entire application ecosystems.
Better Auth API Keys Vulnerability
The problem lies in the createApiKey handler within the plugin. Normally, it derives user context from an active session to enforce security checks.
However, when a request lacks a session but includes a userId in the body, the code sets an “authRequired” flag to false. This skips critical validations, allowing the handler to fabricate a user object from attacker-supplied data.
As a result, unauthenticated attackers can POST to the /api/auth/api-key/create endpoint with a target user’s ID, name, and optional privileged fields like rate limits or permissions.
The response returns a valid API key tied to the victim’s account, bypassing multi-factor authentication and enabling scripted takeovers. The same logic affects update endpoints, amplifying the risk.
API keys often grant long-lived, elevated privileges for automation, making this vulnerability particularly dangerous. Attackers could impersonate users, access sensitive data, or automate malicious actions across services.
Only deployments with the API keys plugin are impacted, but given better-auth’s adoption, exposure is significant. To mitigate, upgrade immediately to better-auth version 1.3.26 or later, which fixes the authorization check.
Rotate all API keys created via the plugin, invalidate unused ones, and audit logs for suspicious unauthenticated requests to create or update endpoints, especially those setting userId or high-privilege values.
The maintainers patched it swiftly after disclosure on October 2. The advisory (GHSA-99h5-pjcv-gr6v) was published on October 8 via GitHub, and the CVE was assigned the next day.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
.webp?w=100&resize=100,70&ssl=1 "Top 10 Best Fraud Prevention Companies in 2025")
