Publish GHSA-99h5-pjcv-gr6v

Author: advisory-database[bot]

advisories/github-reviewed/2025/10/GHSA-99h5-pjcv-gr6v/GHSA-99h5-pjcv-gr6v.json

@@ -1,17 +1,17 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-99h5-pjcv-gr6v",
-  "modified": "2025-10-13T15:39:47Z",
+  "modified": "2025-12-09T16:24:49Z",
   "published": "2025-10-09T15:40:50Z",
   "aliases": [
     "CVE-2025-61928"
   ],
   "summary": "Better Auth: Unauthenticated API key creation through api-key plugin",
-  "details": "### Summary\nUnauthenticated attackers can create or modify API keys for any user by passing that user's id in the request body to the `api/auth/api-key/create` route.\n\n### Details\nThe vulnerability exists in the authentication logic at when checking for user authentication then derives the user as `session?.user ?? (authRequired ? null : { id: ctx.body.userId })`. When no session exists but `userId` is present in the request body, `authRequired` becomes false and the user object is set to the attacker-controlled ID. Server-only field validation only executes when `authRequired` is true (lines 280-295), allowing attackers to set privileged fields. No additional authentication occurs before the database operation, so the malicious payload is accepted. The same pattern exists in the update endpoint.\n\n### PoC\n```bash\ncurl -X POST http://localhost:3000/api/auth/api-key/create \\\n   -H 'Content-Type: application/json' \\\n   -d '{\n         \"userId\": \"victim-user-id\",\n         \"name\": \"zeropath\"\n       }'\n```\nResponse contains the new API key whose userId matches the victim, confirming the bypass. \n\n### Impact\nThis is a critical authentication bypass enabling full an unauthenticated attacker can generate an API key for any user and immediately gain complete authenticated access. This allows the attacker to perform any action as the victim user using the api key, potentially compromise the user data and the application depending on the victim's privileges.\n\nThis issue was found by [ZeroPath](https://zeropath.com).",
+  "details": "### **Summary**\n\nA critical authentication bypass was identified in the API key creation and update endpoints. An attacker could create or modify API keys for arbitrary users by supplying a victim’s user ID in the request body. Due to a flaw in how the authenticated user was derived, the endpoints could treat attacker-controlled input as an authenticated user object under certain conditions.\n\n### **Details**\n\nThe vulnerability originated from fallback logic used when determining the current user. When no session was present, the handler incorrectly allowed request-body data to populate the user context used for authorization decisions. Because server-side validation only executed when authentication was required, privileged fields were not properly protected. As a result, the API accepted unauthenticated requests that targeted other users.\n\nThis same pattern affected both the API key creation and update routes.\n\n### **Impact**\n\nUnauthenticated attackers could generate or modify API keys belonging to any user. This granted full authenticated access as the targeted user and, depending on the user’s privileges, could lead to account compromise, access to sensitive data, or broader application takeover.",
   "severity": [
     {
-      "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"
     }
   ],
   "affected": [
@@ -58,7 +58,7 @@
       "CWE-285",
       "CWE-306"
     ],
-    "severity": "CRITICAL",
+    "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2025-10-09T15:40:50Z",
     "nvd_published_at": "2025-10-09T22:15:32Z"