GHSA-99h5-pjcv-gr6v: Better Auth: Unauthenticated API key creation through api-key plugin

October 9, 2025

Unauthenticated attackers can create or modify API keys for any user by passing that user’s id in the request body to the api/auth/api-key/create route.

References

github.com/advisories/GHSA-99h5-pjcv-gr6v
github.com/better-auth/better-auth
github.com/better-auth/better-auth/commit/556085067609c508f8c546ceef9003ee8c607d39
github.com/better-auth/better-auth/security/advisories/GHSA-99h5-pjcv-gr6v

Code Behaviors & Features

Detect and mitigate GHSA-99h5-pjcv-gr6v with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →