Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

GHSA-x732-6j76-qmhm

Better Auth's rou3 Dependency has Double-Slash Path Normalization which can Bypass disabledPaths Config and Rate Limits
Back to all
CVE

GHSA-x732-6j76-qmhm

Better Auth's rou3 Dependency has Double-Slash Path Normalization which can Bypass disabledPaths Config and Rate Limits

Summary

An issue in the underlying router library rou3 can cause /path and //path to be treated as identical routes. If your environment does not normalize incoming URLs (e.g., by collapsing multiple slashes), this can allow bypasses of disabledPaths and path-based rate limits.

Details

Better Auth uses better-call, which internally relies on rou3 for routing. Affected versions of rou3 normalize paths by removing empty segments. As a result:

  • /sign-in/email
  • //sign-in/email
  • ///sign-in/email

…all resolve to the same route.

Some production setups automatically collapse multiple slashes. This includes:

  • Vercel with Nextjs (default)
  • Cloudflare - when normalize to urls origin is enabled (https://developers.cloudflare.com/rules/normalization/settings/#normalize-urls-to-origin)

In these environments and other configurations where //path reach Better Auth as /path, the issue does not apply.

Fix

Updating rou3 to the latest version resolves the issue:

  • better-call previously depended on "rou3": "^0.5.1"
  • The fix was introduced after that version

  (commit: https://github.com/h3js/rou3/commit/f60b43fa648399534507c9ac7db36d705b8874c3)

Better Auth recommends:

  1. Upgrading to Better Auth v1.4.5 or later, which includes the updated rou3.
  2. Ensuring the proxy normalizes URLs.
  3. If project maintainers cannot upgrade yet, they can protect their app by normalizing url before it reaches better-auth handler. See example below:
const req = new Request(...) // this would be the actual request object
const url = new URL(req.url);
const normalizedPath = url.pathname.replace(/\/+/g, "/");
if (url.pathname !== normalizedPath) {
  url.pathname = normalizedPath;
  // Update the raw request pathname
  Object.defineProperty(req, "url", {
    value: url.toString(),
    writable: true,
    configurable: true,
  });
}

Impact

  • Bypass disabledPaths
  • Bypass path-based rate limits

The impact of bypassing disabled paths could vary based on a project's configuration.

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
-
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H
C
H
U
8.6
-
3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

Related Resources

No items found.

References

https://github.com/better-auth/better-auth/security/advisories/GHSA-x732-6j76-qmhm, https://github.com/better-auth/better-auth

Severity

8.6

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
8.6
EPSS Probability
0%
EPSS Percentile
0%
Introduced Version
0,1.4.0-beta.10,1.2.5-beta.6,0.0.1
Fix Available
1.4.5,1.4.6-beta.3,0.7.0

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading