CVE-2025-61928: Better Auth: Unauthenticated API key creation through api-key plugin

October 9, 2025 (updated October 13, 2025)

Unauthenticated attackers can create or modify API keys for any user by passing that user’s id in the request body to the api/auth/api-key/create route.

References

github.com/advisories/GHSA-99h5-pjcv-gr6v
github.com/better-auth/better-auth
github.com/better-auth/better-auth/commit/556085067609c508f8c546ceef9003ee8c607d39
github.com/better-auth/better-auth/security/advisories/GHSA-99h5-pjcv-gr6v
nvd.nist.gov/vuln/detail/CVE-2025-61928

Code Behaviors & Features

Detect and mitigate CVE-2025-61928 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →