@better-auth/utils is vulnerable to Observable Timing Discrepancy
39
Low Risk
The verifyTOTP helper in src/otp.ts compared the submitted code against each generated window candidate using the JavaScript === operator and returned early on the first match. Both the non-constant-time string comparison and the short-circuit loop make verification time depend on how many leading characters of the code are correct and on which window position matched. An attacker able to observe verification response timing can use this side channel to infer information about valid one-time codes. The fix introduces a length-independent constantTimeEqualOTP comparison and evaluates every window candidate before returning.
You are affected if you are using a version that falls within the vulnerable range and your application exposes OTP/TOTP verification to external-observable timing.
@better-auth/utils is vulnerable to Observable Timing Discrepancy in versions 0.1.1 - 0.4.1.
Upgrade the @better-auth/utils library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant