Intel

AIKIDO-2026-217795

@convex-dev/better-auth is vulnerable to Denial of Service (DoS)

Denial of Service (DoS) Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published 3 days ago

35

Low Risk

This Affects:

JS@convex-dev/better-auth
0.7.0 - 0.12.4
Fixed in 0.12.5
Are you affected? Scan for Free

TL;DR

The Convex adapter's handlePagination helper drives count() and unlimited findMany() as an unbounded paginated scan. When no caller limit is supplied, the per-page numItems budget collapses to 0 after the first 200 rows, so the cursor stops advancing and the loop never reaches its done condition. Any count() or unlimited findMany() over a table or filtered set with more than 200 matching rows loops forever, re-issuing cached findMany queries until the function is killed at its wall-clock limit and exhausting compute. The fix pages at the full 200 rows when there is no limit and adds a forward-progress guard that aborts when a page produces no rows and does not advance the cursor.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range.

Background info

@convex-dev/better-auth is vulnerable to Denial of Service (DoS) in versions 0.7.0 - 0.12.4.

How to fix this

Upgrade the @convex-dev/better-auth library to the patch version.