Summary
ZeroPath reported CVE-2025-61928 in better-auth’s API keys plugin. The issue allowed unauthenticated requests to create or update API keys for arbitrary users by supplying a victim user ID in the request body.
The public GitHub advisory describes the same fallback-user-context mistake and lists better-auth 1.3.26 as the patched version. The package advisory rates the issue high under CVSS 3.1, while NVD also shows a critical CVSS 4.0 CNA score. Bugflation uses the high label here because the GitHub advisory is the clearest package-level severity source.
Attribution
ZeroPath’s post says the scanner found the bug during work on dependency-intake auditing. The independent advisory trail corroborates the vulnerability and fix, but the AI attribution comes from ZeroPath.
Why it matters
Authentication libraries are high-leverage targets. A small authorization mistake in a plugin can become account takeover in every downstream application that uses the affected route. The finding fits Bugflation’s thesis because the reported weakness is a logic and intent mismatch, not a simple syntactic sink.
References
- ZeroPath: better-auth CVE-2025-61928
- GitHub security advisory: GHSA-99h5-pjcv-gr6v
- GitHub Advisory Database: CVE-2025-61928
- NVD: CVE-2025-61928
- better-auth fix commit 5560850
Catalogued in the Bugflation public ledger. Disagree with the attribution or severity label? Email the desk.