GHSA-wmjr-v86c-m9jj

Опубликовано: 26 нояб. 2025

Источник: github

Github: Прошло ревью

CVSS4: 2

Описание

Better Auth's multi-session sign-out hook allows forged cookies to revoke arbitrary sessions

Summary

A vulnerability was identified in the multi-session plugin for Better Auth, specifically in the /sign-out after-hook. The hook trusts raw multi-session cookies and forwards the extracted values directly to internalAdapter.deleteSessions without verifying the cookie signature. Because cookie values are not validated with getSignedCookie (or any equivalent check), an attacker can supply a forged _multi-* cookie to trigger deletion of arbitrary session tokens.

Ссылки

https://github.com/better-auth/better-auth/security/advisories/GHSA-wmjr-v86c-m9jj
https://github.com/better-auth/better-auth/commit/cfc453a2a6eb02951f9a0a7c944064936e73eee8
https://github.com/better-auth/better-auth/releases/tag/v1.4.0

Пакеты

Наименование

better-auth

npm

Затронутые версииВерсия исправления

>= 1.3.34, < 1.4.0

1.4.0

2 Low

CVSS4

Дефекты

CWE-287

CWE-345

2 Low

CVSS4

Дефекты

CWE-287

CWE-345