Critical Auth Bypass (CVE-2025-61928) in Better Auth Allows Hackers to Steal User API Keys

A critical authentication bypass vulnerability has been discovered in Better Auth, a popular framework-agnostic authentication and authorization library for TypeScript, used by developers to add secure login, 2FA, and multi-tenant support with minimal setup.

The flaw, tracked as CVE-2025-61928 and rated CVSSv4 9.3 (Critical), allows unauthenticated attackers to create or modify API keys for any user, leading to complete compromise of accounts and applications using the affected plugin.

Better Auth has become a cornerstone of modern TypeScript authentication stacks, with over 1.5 million monthly downloads and compatibility with popular frameworks like Next.js, SvelteKit, and Express. Its plugin ecosystem allows developers to rapidly extend authentication workflows — including API key management — without manually building complex identity logic.

However, this convenience came with a critical oversight in the API keys plugin, opening a direct path for attackers to impersonate users.

The issue lies in how Better Auth derives user identity when processing API key creation requests. In affected versions, the library’s authentication logic sets the user context based on the following expression:

session?.user ?? (authRequired ? null : { id: ctx.body.userId })

When no active session exists but the request body contains a userId, the system incorrectly treats the request as authenticated, assigning the attacker’s supplied userId to the user context.

“When no session exists but userId is present in the request body, authRequired becomes false and the user object is set to the attacker-controlled ID.”

Because server-only field validation only executes when authRequired is true, the attacker’s request bypasses authentication checks entirely. The system then writes the malicious payload directly to the database, generating an API key that belongs to the victim user.

“Server-only field validation only executes when authRequired is true (lines 280-295), allowing attackers to set privileged fields. No additional authentication occurs before the database operation, so the malicious payload is accepted.”

This same insecure logic also exists in the update endpoint, allowing attackers to modify existing API keys tied to other accounts.

The exploit can be triggered using a simple cURL request, requiring no authentication headers:

curl -X POST http://localhost:3000/api/auth/api-key/create \
   -H 'Content-Type: application/json' \
   -d '{
         "userId": "victim-user-id",
         "name": "zeropath"
       }'

Once the rogue API key is generated, it provides full authenticated access to the victim’s account — allowing the attacker to read, write, or delete data depending on the victim’s role.

The vulnerability affects Better Auth version 1.3.25 and earlier. A fix was released in version 1.3.26, which introduces stricter authentication enforcement and disables unauthenticated access to the affected API key routes.

Related Posts:

• Account Takeover Vulnerability Found in Better Auth Library
• Researcher releases PHP RCE vulnerability CVE 2022-31626 PoC
• Ivanti Neurons for ITSM Hit by CVSS 9.8 Authentication Bypass Flaw Enabling Full Admin Access
• CISA Alerts: Vertiv Products Vulnerable to RCE, Auth Bypass (CVSS 9.8)
• CVE-2025-59934: Critical Flaw in Formbricks Allows Unauthorized Password Resets via Forged JWT Tokens