Intel

AIKIDO-2026-824167

@better-auth/utils is vulnerable to Observable Timing Discrepancy

Observable Timing Discrepancy Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published 3 days ago

39

Low Risk

This Affects:

JS@better-auth/utils
0.1.1 - 0.4.1
Fixed in 0.4.2
Are you affected? Scan for Free

TL;DR

The verifyTOTP helper in src/otp.ts compared the submitted code against each generated window candidate using the JavaScript === operator and returned early on the first match. Both the non-constant-time string comparison and the short-circuit loop make verification time depend on how many leading characters of the code are correct and on which window position matched. An attacker able to observe verification response timing can use this side channel to infer information about valid one-time codes. The fix introduces a length-independent constantTimeEqualOTP comparison and evaluates every window candidate before returning.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application exposes OTP/TOTP verification to external-observable timing.

Background info

@better-auth/utils is vulnerable to Observable Timing Discrepancy in versions 0.1.1 - 0.4.1.

How to fix this

Upgrade the @better-auth/utils library to the patch version.