GHSA-xg6x-h9c9-2m83
Better Auth Has Two-Factor Authentication Bypass via Premature Session Caching (session.cookieCache)
Blast Radius
better-authReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects npm packages — download data is not available via public APIs for these ecosystems.
Description
Summary
Under certain configurations, sessions may be considered valid before two-factor authentication (2FA) is fully completed. This can allow access to authenticated routes without verifying the second factor.
Description
When two-factor authentication is enabled, the authentication flow correctly identifies users who require additional verification and defers full authentication until the second factor is completed.
However, when session.cookieCache is enabled, the session generated during the initial sign-in step may be cached as valid prior to 2FA verification. Subsequent session lookups may then return this cached session without re-evaluating the 2FA requirement.
This results in a situation where session validity can be established before all authentication constraints are satisfied.
Impact
An attacker (or user) with valid primary credentials may gain access to protected application routes without completing the required second authentication factor.
Any application using better-auth with both two-factor authentication and session cookie caching enabled may be affected.
Mitigation
- Upgrade to a version of
better-auththat includes the fix for this issue. - Ensure that session caching does not treat sessions as fully authenticated until all required authentication steps, including 2FA, are completed.
- As a temporary workaround, disable
session.cookieCachewhen using two-factor authentication.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 📦npm | better-auth | all versions | 1.4.9 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for better-auth. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update better-auth to 1.4.9 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-xg6x-h9c9-2m83 is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-xg6x-h9c9-2m83 is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-xg6x-h9c9-2m83. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-xg6x-h9c9-2m83 in your dependencies?
O3 detects GHSA-xg6x-h9c9-2m83 across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.