Critical Better-Auth Flaw Lets Attackers Create API Keys Without Login, Enabling Full Account Takeover

CyberDefender 6 mins0

A high-severity security vulnerability in the widely used Better-Auth authentication framework has been disclosed — one that allows attackers to create API keys for arbitrary users without any authentication, effectively bypassing normal access controls and enabling full account takeover.

What Is Better-Auth?

Better-Auth is a modern, plugin-based authentication library for JavaScript/TypeScript applications. It simplifies common authentication patterns such as session management, token issuance, and API key handling. It has significant adoption via npm, with hundreds of thousands of weekly downloads and usage in both open-source and enterprise applications.

A critical component of Better-Auth is its API keys plugin, which developers use to generate and manage API keys used for service-to-service communication, automations, and integrations.

The Vulnerability: How It Works

The vulnerability — tracked as CVE-2025-61928 — stems from faulty authorization logic in the create API key and update API key endpoints of the Better-Auth API keys plugin.

Root Cause

Under normal conditions, API key creation should be gated by proper authentication and authorization checks. The handler logic in Better-Auth attempts to determine the acting user based on the current session. However:

  • If no valid session exists but the request body includes a userId, the logic incorrectly treats the request as authenticated.
  • This is due to an improper fallback that constructs a user context directly from attacker-controlled input when authentication isn’t strictly required.
  • When this fallback is triggered, downstream validation that normally protects privileged fields (e.g., permissions, rate limits) is skipped, allowing mass creation of API keys.

In code terms, the API might assume authentication is provided via a userId from the body, even though no verified identity exists. This is a classic case of broken authentication/authorization logic — trust is placed in unverified input.

Exploitability and Impact

Because API keys are often long-lived and bypass interactive authentication (including Multi-Factor Authentication MFA), the vulnerability is exceptionally dangerous:

  • Unauthenticated attackers can mint an API key for any user identifier they know or can guess.
  • Possessing a valid API key grants authenticated access as that user, including bypassing MFA protections.
  • For accounts with elevated privileges, this can lead to full account takeover, data exfiltration, or broader system compromise.

The complexity of exploitation is low — it can be achieved with a single HTTP request if the attacker knows a target user’s ID.

Proof of Concept (High-Level)

A simple curl command illustrates the flaw:

curl -X POST https://your-app.com/api/auth/api-key/create \
  -H "Content-Type: application/json" \
  -d '{
        "userId": "TARGET_USER_ID",
        "name": "attack"
      }'

If the server uses a vulnerable version of Better-Auth, it will return a valid API key for the specified user without requiring login. This key can then be used to access the application with all privileges of that user.

Mitigations & Recommendations

Immediate Actions

  1. Update Better-Auth:
    Apply the vendor’s patch or upgrade to a fixed version that corrects the flawed authorization logic.
  2. Rotate API Keys:
    In affected systems, invalidate all existing API keys and issue fresh credentials.
  3. Monitor API Requests:
    Look for unauthorized or anomalous calls to api-key/create or api-key/update endpoints.

Hardening Practices

  • Enforce strict authorization checks on API key creation paths — only authenticated and authorized users should invoke sensitive operations.
  • Rate limit key issuance and log unusual patterns that may indicate enumeration or abuse.
  • Apply least privilege to keys — restrict scopes and enforce short lifetimes.
  • Integrate Software Composition Analysis (SCA) to detect vulnerable dependencies early.

Organizations that rely on third-party authentication libraries must adopt robust dependency governance to avoid introducing critical security risks by design.

Conclusion

CVE-2025-61928 highlights how flawed authentication logic in widely adopted libraries like Better-Auth can lead to severe security breaches. Attackers exploiting this vulnerability can gain full user authentication without proper credentials, underlining the importance of rigorous authorization validation, dependency management, and runtime monitoring in modern application security architecture.

CyberDefender