Critical better-auth API Key Bypass Enables Account Takeover

The better-auth API keys plugin contains a critical authentication bypass vulnerability tracked as CVE-2025-61928 that allows unauthenticated attackers to create privileged API keys for any user account. All versions before 1.3.26 suffer from this flaw, affecting 300,000+ weekly npm downloads powering authentication for enterprises including Equinor.

ZeroPath’s SAST scanner discovered the issue October 1, 2025 during dependency analysis for large organizations. The createApiKey handler fails to validate unauthenticated requests containing userId in the JSON body.

When no session exists but userId appears, authRequired evaluates false. Attackers bypass validation and mint keys with elevated privileges like rateLimitMax, permissions, and refillAmount.

Technical Root Cause

Flawed conditional logic:

javascriptif (!session && !body.userId) {
  authRequired = true;  // Blocks unauthenticated
}

Attack path:

textPOST /api/auth/api-key/create
{
  "userId": "[email protected]",
  "rateLimitMax": 999999,
  "permissions": ["admin", "billing"]
}

Handler constructs user object from attacker input, skipping privilege checks. Same flaw hits updateApiKey handler.

Complete Attack Flow

1. Recon: Enumerate/guess target userId values
2. Mint key: POST unauthenticated request with victim userId
3. Privilege escalation: Set arbitrary rateLimitMax, permissions
4. Account takeover: Use API key bypassing MFA entirely
5. Persistence: Key outlives browser sessions

Single POST request grants full API access to any account.

Impact Assessment

Impact Area	Severity	Description
Account Takeover	Critical	Unauthenticated API key minting
Privilege Escalation	Critical	Arbitrary permissions assignment
MFA Bypass	Critical	Long-lived keys ignore 2FA
Automation Abuse	High	Elevated rate limits for scripted attacks

API keys carry automation privileges across startups to Equinor-scale enterprises.

Affected Versions and Scope

Package	Vulnerable Range	Downloads/Week	Fixed Version
better-auth/api-keys	< 1.3.26	300,000+	1.3.26

Every release with API keys plugin vulnerable. No version safe until patched.

Patch Analysis

Version 1.3.26 fix:

javascript// Proper auth check BEFORE user construction
if (!session?.userId) {
  throw new UnauthorizedError('Authentication required');
}

ZeroPath timeline:

• Oct 1, 2025: Discovery
• Oct 2, 2025: Patch shipped (24 hours)
• Oct 10, 2025: Public disclosure (8 days)

Maintainers responded within 24 hours of responsible disclosure.

Immediate Remediation

Upgrade first:

textnpm install [email protected]
# Restart all services

Credential rotation:

• Invalidate ALL API keys generated before 1.3.26
• Rotate service accounts using better-auth
• Audit active keys for unusual permissions

Log review (past 6 months):

textPOST /api/auth/api-key/create  # Missing session cookies
POST /api/auth/api-key/update  # Contains userId, permissions

Detection Indicators

Suspicious requests:

textNo session cookies + userId in body
rateLimitMax > normal limits
permissions array contains admin/billing
Unknown IP minting keys

Key anomalies:

textNew keys with elevated rateLimitMax
Permissions not matching user roles
Mass key generation events

Enterprise Actions

Pipeline verification:

textnpm ls better-auth
npm audit --audit-level moderate

WAF rules:

textBlock POST /api/auth/api-key/* without session cookies
Rate limit key creation endpoints
Validate userId against session owner

Prevention Framework

Code review:

• Static analysis for auth bypass patterns
• Session validation before user construction
• Zero-trust API key issuance

Runtime:

• API gateway auth enforcement
• Key rotation policies (90 days)
• Usage monitoring and alerting

FAQ