GHSA-x732-6j76-qmhm
HIGHBetter Auth's rou3 Dependency has Double-Slash Path Normalization which can Bypass disabledPaths Config and Rate Limits
Blast Radius
Weekly download volume for affected packages — a proxy for how broadly this vulnerability is deployed.
better-authnpmDescription
Summary
An issue in the underlying router library rou3 can cause /path and //path to be treated as identical routes. If your environment does not normalize incoming URLs (e.g., by collapsing multiple slashes), this can allow bypasses of disabledPaths and path-based rate limits.
Details
Better Auth uses better-call, which internally relies on rou3 for routing. Affected versions of rou3 normalize paths by removing empty segments. As a result:
/sign-in/email//sign-in/email///sign-in/email
…all resolve to the same route.
Some production setups automatically collapse multiple slashes. This includes:
- Vercel with Nextjs (default)
- Cloudflare - when normalize to urls origin is enabled (https://developers.cloudflare.com/rules/normalization/settings/#normalize-urls-to-origin)
In these environments and other configurations where //path reach Better Auth as /path, the issue does not apply.
Fix
Updating rou3 to the latest version resolves the issue:
- better-call previously depended on
"rou3": "^0.5.1" - The fix was introduced after that version (commit: https://github.com/h3js/rou3/commit/f60b43fa648399534507c9ac7db36d705b8874c3)
Better Auth recommends:
- Upgrading to Better Auth v1.4.5 or later, which includes the updated rou3.
- Ensuring the proxy normalizes URLs.
- If project maintainers cannot upgrade yet, they can protect their app by normalizing url before it reaches better-auth handler. See example below:
const req = new Request(...) // this would be the actual request object
const url = new URL(req.url);
const normalizedPath = url.pathname.replace(/\/+/g, "/");
if (url.pathname !== normalizedPath) {
url.pathname = normalizedPath;
// Update the raw request pathname
Object.defineProperty(req, "url", {
value: url.toString(),
writable: true,
configurable: true,
});
}
Impact
- Bypass
disabledPaths - Bypass path-based rate limits
The impact of bypassing disabled paths could vary based on a project's configuration.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 📦npm | better-auth | all versions | 1.4.5 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for better-auth. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update better-auth to 1.4.5 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-x732-6j76-qmhm is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-x732-6j76-qmhm is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-x732-6j76-qmhm. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-x732-6j76-qmhm in your dependencies?
O3 detects GHSA-x732-6j76-qmhm across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.