"Better Auth" Framework Alert: The Double-Slash Trick That Bypasses Security Controls

A high-severity vulnerability has been disclosed in Better Auth, a rapidly growing authentication framework for TypeScript, potentially allowing attackers to bypass critical access controls with a simple URL manipulation. Tracked with a CVSS score of 8.6, the flaw exploits a normalization error in the framework’s underlying router, rou3, to circumvent security rules designed to block specific paths or limit traffic rates.

With the library boasting over 2.7 million downloads per month, the discovery serves as a wake-up call for developers relying on automated routing logic for security enforcement.

The vulnerability is a classic case of semantic discrepancy—where two parts of a system interpret the same input differently. The core issue lies in rou3, the router utilized internally by Better Auth via better-call.

According to the security advisory, “Affected versions of rou3 normalize paths by removing empty segments”. This means that the router sees /sign-in/email, //sign-in/email, and ///sign-in/email as identical routes.

However, if the hosting environment (such as a proxy or web server) does not normalize these URLs before they reach the application, the discrepancy becomes a security gap. An attacker can request //restricted-path, effectively slipping past configuration rules that explicitly block /restricted-path.

The consequences of this normalization error are twofold, undermining the framework’s built-in defense mechanisms:

Disabled Paths Bypass: Developers often use the disabledPaths config to turn off specific endpoints. The exploit allows attackers to access these “disabled” routes by simply adding an extra slash to the URL.
Rate Limit Evasion: Security rules that apply rate limits to specific paths can be dodged. If a rate limit is set for /api/login, an attacker might be able to hammer //api/login without triggering the counter.

“If your environment does not normalize incoming URLs… this can allow bypasses of disabledPaths and path-based rate limits,” the report warns.

Not all deployments are vulnerable. The risk depends heavily on the hosting infrastructure. Environments that automatically collapse multiple slashes—such as Vercel with Next.js (default) or Cloudflare (with specific normalization settings enabled)—effectively neutralize the attack before it reaches the framework.

However, for other setups, the risk is active for Better Auth versions prior to 1.4.4.

The vulnerability has been patched in the router library rou3 (commit f60b43f). Developers are urged to take one of the following actions immediately:

Upgrade: Update to Better Auth v1.4.5 or later, which pulls in the secured version of the router.
Normalize Proxies: Configure your upstream proxy or load balancer to normalize URLs (collapse slashes) before forwarding requests.

Manual Patch: If an upgrade isn’t possible, developers can implement a middleware snippet to strip extra slashes from req.url before it hits the Better Auth handler.

const req = new Request(...) // this would be the actual request object
const url = new URL(req.url);
const normalizedPath = url.pathname.replace(/\/+/g, "/");

if (url.pathname !== normalizedPath) {
  url.pathname = normalizedPath;
  // Update the raw request pathname
  Object.defineProperty(req, "url", {
    value: url.toString(),
    writable: true,
    configurable: true,
  });
}

Rate this post

Related Posts:

Found this helpful?

Leave a Reply Cancel reply