@better-auth/stripe is vulnerable to Authorization Bypass
71
High Risk
The @better-auth/stripe plugin authorizes organization subscription actions against the organization id in the request query string but then runs the action against the caller's active organization from their session. When subscriptions and organization subscriptions are enabled with an authorizeReference callback, a member can place an organization they may manage in the query string to pass the check while the handler acts on a different organization they belong to. This lets cancel, change-plan, restore, and billing-portal actions run against the wrong organization and exposes another organization's billing details such as payment methods and invoices. The fix resolves the organization id once in the middleware and passes that single value to the handler so the approved and acted-on organization always match.
You are affected if you are using a version that falls within the vulnerable range and you enable Stripe organization subscriptions with an authorizeReference callback.
@better-auth/stripe is vulnerable to Authorization Bypass in versions 1.4.11 - 1.6.20.
Upgrade the @better-auth/stripe library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant