The flaw, tracked as CVE-2025-61928, affects all versions of the better-auth library prior to 1.3.26 — a package that sees approximately 300,000 weekly npm downloads and powers authentication for organizations ranging from startups to enterprises like Equinor.
The vulnerability was discovered on October 1, 2025, when ZeroPath’s automated SAST scanner analyzed better-auth’s canary branch while building third-party dependency assessment workflows for large organizations.
ZeroPath uncovered that the flaw resides in the createApiKey handler inside the API keys plugin. The handler determines whether authentication is required using a conditional that checks for the presence of a session and whether a userId field appears in the request body.
When no session exists, but a userId is provided in the JSON body, the authRequired variable evaluates to false, causing the handler to construct a user object directly from attacker-controlled input.
This faulty control flow skips the validation branch that normally blocks privileged fields such as rateLimitMax, remaining, refillAmount, and permissions.
As a result, an unauthenticated attacker can send a single POST request to /api/auth/api-key/create with a victim’s user ID in the body and receive a fully valid API key bound to that account.
The same flawed logic also affects the updateApiKey handler, extending the attack surface to credential modification. The vulnerable code path has existed in every release containing the API keys plugin, meaning all prior versions are susceptible.
The impact is significant because API keys typically outlive browser sessions and often carry elevated automation privileges. With a valid key in hand, an attacker can bypass multi-factor authentication entirely and script systematic account takeovers across any known or guessable account identifiers.
Organizations using the better-auth API keys plugin should immediately upgrade to version 1.3.26 or later, which remediates the flawed authorization check. Following the upgrade, all API keys generated through the plugin during the exposure window should be rotated and unused credentials invalidated.
Defenders should review application and reverse-proxy logs for unauthenticated calls to /api/auth/api-key/create or /api/auth/api-key/update — specifically requests lacking authenticated session cookies where the body sets userId, rateLimitMax, or permissions fields.
Any ambiguous log activity warrants a full credential reissuance for affected accounts, followed by monitoring for API usage originating from unfamiliar IPs or service tokens.
Better-auth’s maintainers responded quickly after responsible disclosure, shipping a patch within 24 hours. The GitHub Security Advisory GHSA-99h5-pjcv-gr6v and CVE-2025-61928 assignment were published shortly after. The coordinated timeline from discovery to public advisory spanned just eight days, reflecting strong vendor responsiveness.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Critical Authentication Bypass in better-auth API Keys Plugin Allows Unauthenticated Account Takeover appeared first on Cyber Security News.
In January, Qualcomm hinted to The Verge that it might finally bring its powerful Arm-based…
Students are seen on the campus of Columbia University on April 14, 2025, in New…
If you’ve been waiting to grab any video games, today might be the day. On…
I first took notice of Samson: A Tyndalston Story when its team of former Just…
Stardew Valley creator Eric Barone (ConcernedApe) has released a 10th anniversary video revealing, among other…
Highguard studio Wildlight Entertainment reportedly has less than 20 people remaining to work on the…
This website uses cookies.