AIKIDO-2026-10549
better-auth is vulnerable to Server-Side Request Forgery (SSRF)
81
High Risk
This Affects:
better-authTL;DR
Several code paths decide whether a host is loopback or safe to treat as a local development origin. The dynamic allowedHosts handling used substring tests on host strings, so hostnames that merely contained localhost or 127.0.0.1 as substrings could receive an extra trusted http origin alongside https. A separate helper also treated the IPv4 unspecified address like true loopback when inferring schemes, which could broaden what was considered a local origin. The update routes these decisions through the shared classifier from @better-auth/core/utils/host and replaces the dev-only scheme helper with a narrow check that does not pull that module into client bundles.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
better-auth is vulnerable to Server-Side Request Forgery (SSRF) in versions 1.3.18 - 1.6.5.
How to fix this
Upgrade the better-auth library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant