AIKIDO-2026-10485
better-auth is vulnerable to Server-Side Request Forgery (SSRF)
70
High Risk
This Affects:
better-authTL;DR
Direct auth.api calls and plugins that resolve a dynamic baseURL could leave baseURL empty, mishandle allowedHosts failures, or trust forwarded host/proto headers without the same gates as the normal request path. Plugin metadata helpers could call back into auth.api without the incoming request, so discovery and issuer URLs might not match the caller’s host. The fix tightens resolution, maps host mismatches to explicit API errors, threads trusted-proxy settings consistently, and forwards the real request into metadata and MCP helpers where needed. Deployments that also use @better-auth/oauth-provider should upgrade that package to the same patch line because it contains coordinated metadata and MCP changes.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
better-auth is vulnerable to Server-Side Request Forgery (SSRF) in versions 1.2.0 - 1.6.2.
How to fix this
Upgrade the better-auth library to the patch version.
Get Secure Now
Secure your code, cloud, and runtime environments in one central system. Find and fix vulnerabilities automatically.
No credit card required | Scan results in 32secs.
SOC 2Compliant
ISO 27001Compliant