A significant security flaw has been identified in the widely-used better-auth library’s API keys plugin, potentially enabling attackers to generate privileged credentials for any user without authentication. This vulnerability, designated as CVE-2025-61928, affects better-auth—a TypeScript authentication framework with approximately 300,000 weekly downloads on npm.
Understanding the Vulnerability
The core issue resides in the `createApiKey` handler within the plugin. Under normal circumstances, this handler derives user context from an active session to enforce security checks. However, if a request lacks an active session but includes a `userId` in its body, the code sets an `authRequired` flag to false. This bypasses essential validations, allowing the handler to fabricate a user object based on attacker-supplied data.
Consequently, unauthenticated attackers can send a POST request to the `/api/auth/api-key/create` endpoint, supplying a target user’s ID, name, and optional privileged fields such as rate limits or permissions. The system then returns a valid API key associated with the victim’s account, effectively circumventing multi-factor authentication and facilitating unauthorized access. This same logic applies to update endpoints, further amplifying the risk.
Potential Impact
API keys often grant long-term, elevated privileges for automation purposes, making this vulnerability particularly perilous. Exploiting this flaw could allow attackers to impersonate users, access sensitive data, or automate malicious actions across various services. While only deployments utilizing the API keys plugin are affected, the widespread adoption of better-auth means that a significant number of applications are at risk.
Mitigation Measures
To address this vulnerability, it is imperative to:
1. Upgrade the Library: Immediately update to better-auth version 1.3.26 or later, which includes a fix for the authorization check.
2. Rotate API Keys: Replace all API keys created via the plugin, invalidate any unused ones, and audit logs for suspicious unauthenticated requests to create or update endpoints, especially those involving `userId` or high-privilege values.
Response and Disclosure
The maintainers acted swiftly upon disclosure on October 2, releasing a patch shortly thereafter. The advisory (GHSA-99h5-pjcv-gr6v) was published on October 8 via GitHub, with the CVE assigned the following day.
Broader Context
This incident underscores the critical importance of rigorous security practices in authentication libraries, which serve as foundational components for numerous applications. Developers and organizations must remain vigilant, regularly updating dependencies and conducting thorough security assessments to mitigate potential risks.
