Pricing
Case studies
Login
Start trial
better-auth
N/A
Developer
N/A
Latest version
N/A
Installations
N/A
Last updated
Npm Npm
No VDP
Claim ownership
Report vulnerability
Vulnerabilities
Security Contributors
Vulnerability history
0 present
21 patched
0 Mitigation rules
NPM: Better Auth: Stale sessions persist after user deletion across admin, anonymous, and SCIM flows
>= 0.3.4, < 1.6.11
1 hour ago
NPM: @better-auth/oauth-provider's OAuth authorization-code grant allows concurrent redemption when two token requests race the find-then-delete primitive
< 1.6.11
1 hour ago
NPM: Better Auth: OAuth refresh-token rotation forks the token family on concurrent redemption
>= 1.4.8-beta.7, < 1.6.0
1 hour ago
NPM: Better Auth has insecure cryptographic defaults in oidcProvider: alg=none advertised and plain PKCE accepted by default
< 1.6.11
1 hour ago
NPM: Better Auth has stored XSS in the auth-server origin via javascript: redirect_uri in oidc-provider and mcp
< 1.6.13
1 hour ago
NPM: Better Auth has an account takeover issue via OAuth auto-link to unverified pre-registered email
< 1.6.11
1 hour ago
NPM: Better Auth vulnerable to unauthorized invitation acceptance via unverified email match in organization plugin
< 1.6.11
1 hour ago
NPM: Better Auth: OAuth refresh-token replay via missing client authentication on oidc-provider and mcp plugins
< 1.6.11
2 hours ago
NPM: Better Auth: Device authorization approve and deny accept any authenticated session while the user code is pending
>= 1.6.0, < 1.6.11
04/06/2026
NPM: Better Auth: Rate limiter keys IPv6 addresses individually and is bypassable via prefix rotation
< 1.4.17
15/05/2026
NPM: Better Auth: OAuth callback accepts mismatched `state` when cookie-backed state storage is used without PKCE
< 1.6.2
15/05/2026
NPM: Better Auth Has Two-Factor Authentication Bypass via Premature Session Caching (session.cookieCache)
< 1.4.9
03/04/2026
NPM: Better Auth's rou3 Dependency has Double-Slash Path Normalization which can Bypass disabledPaths Config and Rate Limits
< 1.4.5
16/12/2025
NPM: Better Auth affected by external request basePath modification DoS
< 1.4.2
01/12/2025
NPM: Better Auth's multi-session sign-out hook allows forged cookies to revoke arbitrary sessions
>= 1.3.34, < 1.4.0
26/11/2025
NPM: Better Auth: Unauthenticated API key creation through api-key plugin
< 1.3.26
09/10/2025
NPM: Better Auth Open Redirect Vulnerability in originCheck Middleware Affects Multiple Routes
<= 1.2.9
07/07/2025
NPM: Better Auth allows bypassing the trustedOrigins Protection which leads to ATO
<= 1.1.20
24/02/2025
NPM: Beter Auth has an Open Redirect via Scheme-Less Callback Parameter
< 1.1.20
24/02/2025
NPM: Better Auth URL parameter HTML Injection (Reflected Cross-Site scripting)
>= 0.0.2, < 1.1.16
05/02/2025
NPM: Better Auth has an Open Redirect Vulnerability in Verify Email Endpoint
< 1.1.6
30/12/2024