@convex-dev/better-auth is vulnerable to Denial of Service (DoS)
35
Low Risk
The Convex adapter's handlePagination helper drives count() and unlimited findMany() as an unbounded paginated scan. When no caller limit is supplied, the per-page numItems budget collapses to 0 after the first 200 rows, so the cursor stops advancing and the loop never reaches its done condition. Any count() or unlimited findMany() over a table or filtered set with more than 200 matching rows loops forever, re-issuing cached findMany queries until the function is killed at its wall-clock limit and exhausting compute. The fix pages at the full 200 rows when there is no limit and adds a forward-progress guard that aborts when a page produces no rows and does not advance the cursor.
You are affected if you are using a version that falls within the vulnerable range.
@convex-dev/better-auth is vulnerable to Denial of Service (DoS) in versions 0.7.0 - 0.12.4.
Upgrade the @convex-dev/better-auth library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant