editorially independent. We may make money when you click on links
to our partners.
Learn More
A vulnerability in the better-auth library could allow attackers to take over user accounts without ever logging in.
The flaw affects the library’s API keys plugin and enables unauthenticated attackers to mint privileged API keys for arbitrary users.
Exploitation of the vulnerability grants “… full authenticated access as the targeted user and, depending on the user’s privileges, could lead to account compromise, access to sensitive data, or broader application takeover,” said researchers in the advisory.
Inside the better-auth Authentication Bypass
The better-auth library sees roughly 300,000 weekly downloads on npm.
In some environments, API keys serve as long-lived authentication tokens for automation, integrations and service-to-service communication.
Unlike interactive logins, API keys often bypass multi-factor authentication (MFA) and remain valid long after a user logs out. If compromised, a single key can allow attackers to script access to sensitive data, trigger backend workflows or impersonate privileged users at scale.
How CVE-2025-61928 Works
The vulnerability, tracked as CVE-2025-61928, stems from flawed authorization logic in the createApiKey and updateApiKey handlers within the API keys plugin.
These handlers determine whether authentication is required by checking for a valid session and evaluating whether a userId field is present in the request body.
Under normal conditions, the system should derive the acting user from a validated session before permitting key creation or modification.
However, when no authenticated session exists but a userId is supplied in the JSON payload, the application incorrectly treats authentication as unnecessary.
Instead of rejecting the request, the handler constructs the user context directly from attacker-controlled input.
Because server-side validation routines execute only when authentication is required, this control flow flaw bypasses safeguards designed to protect privileged fields such as permissions, rateLimitMax, remaining and refillAmount.
Exploitation and Real-World Impact
As a result, an attacker can send a single POST request to /api/auth/api-key/create containing a victim’s userId and receive a valid API key bound to that account.
The same logic flaw affects /api/auth/api-key/update, enabling unauthorized modification of existing keys. Exploitation requires only knowledge or enumeration of a valid user identifier, making attack complexity low.
In practice, this represents an authentication bypass rooted in improper input validation and flawed user-context derivation.
With a valid API key, an attacker can authenticate as the targeted user, bypass MFA protections and potentially escalate impact depending on the account’s privileges.
A patched version of better-auth has been released to correct the authorization check.
Steps to Reduce API Key Abuse Risk
In light of this authentication bypass, organizations should take steps to reduce risk and confirm the integrity of affected systems.
Addressing the issue should extend beyond just patching to include credential management, monitoring and improved governance practices.
Since API keys often serve as long-lived access tokens, any unauthorized creation or modification may remain effective until explicitly revoked.
- Upgrade to the latest better-auth version and verify the patch is properly deployed across all environments.
- Rotate all API keys generated during the potential exposure window, invalidate unused or stale credentials and reissue keys for high-privilege accounts where necessary.
- Review application and reverse-proxy logs for unauthenticated requests to /api/auth/api-key/create or /api/auth/api-key/update, and monitor for suspicious API activity from unfamiliar IP addresses or service tokens.
- Enforce strict least privilege and scoped API key permissions, implement expiration policies for keys and require reauthentication or step-up MFA for sensitive key creation or modification actions.
- Apply rate limiting, alerting and abuse detection on API key creation and update endpoints to identify enumeration attempts or anomalous automation patterns.
- Strengthen dependency governance by enabling software composition analysis (SCA), monitoring security advisories and maintaining an up-to-date software bill of materials (SBOM).
- Test incident response plans for authentication bypass and credential abuse scenarios.
Collectively, these measures can help organizations limit the blast radius of potential credential abuse and build resilience.
Risk of Third-Party Auth Libraries
CVE-2025-61928 highlights how authorization logic issues in widely used libraries can weaken authentication controls and introduce risk into application environments.
As organizations continue to depend on API-driven integrations and third-party components, consistent user-context validation, disciplined credential management and ongoing monitoring remain important safeguards.
Third-party risk with libraries is prompting organizations to leverage zero-trust solutions that continuously verify identity and reduce implicit trust across applications and services.
