Description
Better Auth is an authentication and authorization library for TypeScript. Prior to 1.4.17 and 1.5.0-beta.9, Better Auth's HTTP rate limiter keyed each request by the exact textual IP address it received in x-forwarded-for (or the configured IP-bearing header). IPv6 clients controlling a typical /64 allocation could rotate through 2^64 distinct source addresses without exhausting the per-address counter, defeating rate limiting on /sign-in/email, /sign-up/email, /forget-password, and every other path the limiter protects. The same bug allowed a single client to vary the textual encoding of one IPv6 address (uppercase, compression, IPv4-mapped, hex-encoded IPv4-in-IPv6) and produce multiple distinct keys. This vulnerability is fixed in 1.4.17 and 1.5.0-beta.9.
Published: 2026-05-28
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is in Better Auth’s HTTP rate limiter, which keys requests by the raw textual IP address in the x-forwarded-for or configured header. IPv6 clients can manipulate the address within a /64 prefix or use different textual representations to generate distinct keys, allowing them to perform unlimited authentication attempts on protected endpoints such as sign‑in, sign‑up, and forget‑password. The CVE describes this as an "Improper Restriction of Excessive Authentication Attempts" (CWE‑307) weakness that can enable unauthorized access. The description does not explicitly mention denial of service or resource exhaustion; these effects are inferred but not directly stated.

Affected Systems

Better Auth library versions before 1.4.17 and 1.5.0‑beta.9 are affected; the flaw applies to any application that uses the library’s HTTP rate limiter for authentication and authorization handling.

Risk and Exploitability

The vulnerability has a CVSS score of 7.3, indicating high severity. The EPSS score is not available, and the flaw is not listed in the CISA KEV catalog. Attackers can exploit the defect remotely by controlling an IPv6 address, thereby rotating through up to 2^64 distinct addresses or using different textual formats to evade the limiter. This allows brute‑force credential attempts against the application without requiring local privileges.

Generated by OpenCVE AI on May 29, 2026 at 00:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Better Auth library to version 1.4.17 or later in the 1.5.0 series to apply the fixed rate‑limiting logic.
  • Configure the HTTP rate limiter to normalize IPv6 addresses or to use a single key per logical client instead of raw IP strings, ensuring consistent keying.
  • If upgrading is not feasible, implement an alternative rate‑limiting or blocking mechanism at the application layer to constrain authentication attempts per client.

Generated by OpenCVE AI on May 29, 2026 at 00:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-p6v2-xcpg-h6xw Better Auth: Rate limiter keys IPv6 addresses individually and is bypassable via prefix rotation
History

Fri, 29 May 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 01:15:00 +0000

Type Values Removed Values Added
First Time appeared Better-auth
Better-auth better Auth
Vendors & Products Better-auth
Better-auth better Auth

Thu, 28 May 2026 22:15:00 +0000

Type Values Removed Values Added
Description Better Auth is an authentication and authorization library for TypeScript. Prior to 1.4.17 and 1.5.0-beta.9, Better Auth's HTTP rate limiter keyed each request by the exact textual IP address it received in x-forwarded-for (or the configured IP-bearing header). IPv6 clients controlling a typical /64 allocation could rotate through 2^64 distinct source addresses without exhausting the per-address counter, defeating rate limiting on /sign-in/email, /sign-up/email, /forget-password, and every other path the limiter protects. The same bug allowed a single client to vary the textual encoding of one IPv6 address (uppercase, compression, IPv4-mapped, hex-encoded IPv4-in-IPv6) and produce multiple distinct keys. This vulnerability is fixed in 1.4.17 and 1.5.0-beta.9.
Title Better Auth: Rate limiter keys IPv6 addresses individually and is bypassable via prefix rotation
Weaknesses CWE-307
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

Subscriptions

Better-auth Better Auth
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-29T19:05:38.845Z

Reserved: 2026-05-12T00:51:29.085Z

Link: CVE-2026-45364

cve-icon Vulnrichment

Updated: 2026-05-29T19:05:31.273Z

cve-icon NVD

Status : Received

Published: 2026-05-28T22:17:00.633

Modified: 2026-05-28T22:17:00.633

Link: CVE-2026-45364

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T01:00:12Z

Weaknesses