CVE-2025-61928
Better Auth: Unauthenticated API key creation through api-key plugin
Description
### **Summary** A critical authentication bypass was identified in the API key creation and update endpoints. An attacker could create or modify API keys for arbitrary users by supplying a victim’s user ID in the request body. Due to a flaw in how the authenticated user was derived, the endpoints could treat attacker-controlled input as an authenticated user object under certain conditions. ### **Details** The vulnerability originated from fallback logic used when determining the current user. When no session was present, the handler incorrectly allowed request-body data to populate the user context used for authorization decisions. Because server-side validation only executed when authentication was required, privileged fields were not properly protected. As a result, the API accepted unauthenticated requests that targeted other users. This same pattern affected both the API key creation and update routes. ### **Impact** Unauthenticated attackers could generate or modify API keys belonging to any user. This granted full authenticated access as the targeted user and, depending on the user’s privileges, could lead to account compromise, access to sensitive data, or broader application takeover.
How to fix CVE-2025-61928
To remediate CVE-2025-61928, upgrade the affected package to a fixed version below.
- —upgrade to 1.3.26 or later
Is CVE-2025-61928 being exploited?
Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 1.3.26