Critical Auth Bypass in Better Auth (CVE-2025-61928)
By CyberDudeBivash • Updated Oct 22, 2025 • Apps & Services
CyberDudeBivash
TL;DR
- What happened: a logic flaw in
better-auth’s API keys plugin lets unauthenticated actors create or modify API keys for arbitrary users by passing a victim’suserIdto the API-key create route. Affects ≤ 1.3.25; fixed in 1.3.26. - Impact: practical account takeover, data/API theft, privilege escalation across apps using those keys.
- Action now: upgrade to 1.3.26+, revoke & rotate exposed API keys, audit logs for suspicious key creation, and restrict who can hit auth routes.
Edureka
Secure Coding & AppSec coursesKaspersky
Block post-exploit payloadsAlibaba
Perimeter gear for API gatewaysTurbo VPN
Gate admin/auth behind VPN/ZTNA
Table of Contents
- What Is CVE-2025-61928?
- How the Bypass Works (High-Level)
- Am I Affected? (Quick Checks)
- Patch & Immediate Mitigation
- Detection & Log Hunting
- FAQs
What Is CVE-2025-61928?
Better Auth (TypeScript authN/authZ library) contains a critical missing-auth flaw in its API-keys plugin that allows unauthenticated key creation/modification for any user. The issue was disclosed Oct 9, 2025, with a fix in v1.3.26.
Multiple databases and vendors have mirrored the advisory and impact analysis.
How the Bypass Works (High-Level)
The bug sits in request handling for the API-key creation route. When session.user is absent, the handler incorrectly treats a userId from the request body as a valid subject, enabling key creation for that account—no login required. Advisory snippet (context): session?.user ?? (authRequired ? null : { id: ctx.body.userId }). (We omit weaponizable PoC details.)
Am I Affected? (Quick Checks)
- Package version: run
npm ls better-author check your lockfile. If ≤ 1.3.25, you’re vulnerable. - Plugin usage: confirm whether the API keys plugin is enabled in your Better Auth configuration. If yes, prioritize patching.
- Exposure: verify whether your auth routes (e.g.,
/api/auth/api-key/create) are reachable from the Internet or partner networks without extra controls (WAF, IP allowlists, VPN/ZTNA).
Patch & Immediate Mitigation
- Upgrade to v1.3.26+ across all services that include better-auth. Rebuild and redeploy.
- Revoke & rotate API keys created since first vulnerable deployment. Consider forced rotation for high-value tenants or orgs.
- Lock the surface: restrict access to auth routes via WAF, ZTNA/VPN, or IP allowlists; rate-limit key-creation endpoints.
- Harden validation: server-side checks should never trust client-supplied identity (
userId) without a bound authenticated session.
Detection & Log Hunting
Look for: suspicious activity on API-key endpoints without a valid session, bursts of key creation, and keys issued to many distinct users from the same IP/ASN.
-- Pseudocode/SQL ideas; adapt to your stack
WHERE route IN ('/api/auth/api-key/create','/api/auth/api-key/*')
AND (session_id IS NULL OR session_valid = false)
GROUP BY src_ip, user_id, 1h
HAVING COUNT(*) > 3
-- Inventory keys created since vulnerable versions were deployed
SELECT user_id, api_key_id, created_at, src_ip
FROM api_keys
WHERE created_at >= '2025-09-01'
ORDER BY created_at DESC;
Cross-check with WAF/proxy logs for the same route and correlate first-seen IPs and user-agents. Vendor write-ups provide additional threat-model notes.
AliExpress
Security tokens & HSM gearRewardful
Monetize your security SaaSASUS India
Trusted hardware for secure infra
Next Reads from CyberDudeBivash
HSBC PremierTata NeuYES EducationGeekBrainsiBOXBlackberrys
Need Help Patching & Auditing better-auth?
CyberDudeBivash delivers secure auth designs, key rotation runbooks, WAF/ZTNA isolation, and SIEM detections for SaaS & platform teams.
Explore Apps & Services cyberdudebivash.com | cyberbivash.blogspot.com | cryptobivash.code.blog
FAQs
Which versions are affected?
better-auth ≤ 1.3.25 (API keys plugin). Fixed in 1.3.26.
Is there a public CVE/NVD entry?
Yes: CVE-2025-61928 with details on impact and the flawed logic path.
Any reputable analyses?
ZeroPath’s research post and security vendor mirrors (Snyk, GitLab Advisory DB) summarize exploitability and mitigations.
#CyberDudeBivash #CVE202561928 #betterauth #AuthBypass #APIKeys #NodeJS #TypeScript #AppSec #PatchNow
Cyberdudebivash 
Leave a comment