Skip to content

Routing Bug Can Lead to Cache Deception

Moderate
Bekacru published GHSA-hq75-xg7r-rx6c Jul 11, 2025

Package

npm better-call (npm)

Affected versions

<= 1.0.11

Patched versions

>= 1.0.12

Description

Summary

Using a CDN that caches (/**/*.png, /**/*.json, /**/*.css, etc...) requests, a cache deception (also called cache poisoning) can emerge, This could lead to unauthorized access to user sessions and personal data when cached responses are served to other users.

Details

The vulnerability occurs in the request processing logic where path sanitization is insufficient. The library splits the path using config.basePath but doesn't properly validate the remaining path components. This allows specially crafted requests that appear to be static assets (like /api/auth/get-session/api/auth/image.png assuming config.basePath=/api/auth) to bypass typical CDN cache exclusion rules while actually returning sensitive data.

The problematic code here:

	const processRequest = async (request: Request) => {
		const url = new URL(request.url);
		const path = config?.basePath ? url.pathname.split(config.basePath)[1] : url.pathname;

Since this library is largely coupled with better-auth, it becomes more clear why this can be dangerous with an example request:

image

Impact

This is a cache deception vulnerability affecting better-call users with CDN caching enabled. which can expose sensitive data.

Severity

Moderate

CVE ID

No known CVE

Weaknesses

Use of Cache Containing Sensitive Information

The code uses a cache that contains sensitive information, but the cache can be read by an actor outside of the intended control sphere. Learn more on MITRE.

Credits