Critical Vulnerability in better-auth API Keys Plugin Enables Unauthenticated Account Takeover
A critical security flaw has been identified in the better-auth API keys plugin, allowing unauthenticated attackers to generate privileged API keys for any user account. This vulnerability, designated as CVE-2025-61928, affects all versions of the better-auth library prior to 1.3.26. The library, a TypeScript authentication framework, is widely used, with approximately 300,000 weekly downloads on npm, and serves organizations ranging from startups to large enterprises like Equinor.
Discovery and Technical Details
The vulnerability was discovered on October 1, 2025, by ZeroPath’s automated static application security testing (SAST) scanner during an analysis of better-auth’s canary branch. The flaw resides in the `createApiKey` handler within the API keys plugin. This handler determines whether authentication is required by checking for the presence of a session and a `userId` field in the request body.
In scenarios where no session exists but a `userId` is provided in the JSON body, the `authRequired` variable is set to `false`. This causes the handler to construct a user object directly from the attacker-controlled input, bypassing the validation branch that normally restricts privileged fields such as `rateLimitMax`, `remaining`, `refillAmount`, and `permissions`.
Consequently, an unauthenticated attacker can send a POST request to the `/api/auth/api-key/create` endpoint with a victim’s user ID in the body and receive a fully valid API key associated with that account. The same flawed logic also affects the `updateApiKey` handler, expanding the attack surface to credential modification. This vulnerability has been present in every release containing the API keys plugin, making all prior versions susceptible.
Potential Impact
The implications of this vulnerability are severe. API keys often have longer lifespans than browser sessions and typically carry elevated privileges for automation purposes. With a valid API key, an attacker can bypass multi-factor authentication entirely and systematically take over accounts across any known or guessable account identifiers. This could lead to unauthorized access to sensitive data, manipulation of user accounts, and potential disruption of services.
Mitigation Measures
Organizations utilizing the better-auth API keys plugin should take immediate action to mitigate this vulnerability:
1. Upgrade the Library: Update to better-auth version 1.3.26 or later, which addresses the flawed authorization check.
2. Rotate API Keys: After upgrading, rotate all API keys generated through the plugin during the exposure window and invalidate any unused credentials.
3. Audit Logs: Review application and reverse-proxy logs for unauthenticated calls to `/api/auth/api-key/create` or `/api/auth/api-key/update`, particularly requests lacking authenticated session cookies where the body sets `userId`, `rateLimitMax`, or `permissions` fields.
4. Monitor for Suspicious Activity: Be vigilant for API usage originating from unfamiliar IP addresses or service tokens, which may indicate unauthorized access.
Response and Timeline
The maintainers of better-auth responded promptly to the responsible disclosure. A patch was released within 24 hours, and the GitHub Security Advisory GHSA-99h5-pjcv-gr6v, along with the CVE-2025-61928 assignment, was published shortly thereafter. The coordinated timeline from discovery to public advisory spanned just eight days, reflecting a strong commitment to security and swift remediation.
Conclusion
This critical vulnerability in the better-auth API keys plugin underscores the importance of rigorous security practices in authentication frameworks. Organizations must remain vigilant, promptly apply security updates, and continuously monitor their systems to protect against potential exploits.
