DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-2VG6-77G8-24MP: GHSA-2vg6-77g8-24mp: Insufficient Session Expiration via Incomplete Cleanup in Better Auth Ecosystem

GHSA-2vg6-77g8-24mp: Insufficient Session Expiration via Incomplete Cleanup in Better Auth Ecosystem

Vulnerability ID: GHSA-2VG6-77G8-24MP
CVSS Score: 3.8
Published: 2026-07-07

A critical session persistence vulnerability exists within the Better Auth framework when configured to use external secondary storage (such as Redis or Cloudflare KV) with default database options. Due to four incomplete user-deletion code paths, active user sessions are not evicted from secondary storage caches during deletion events. As a result, deleted users retain full system access via their pre-existing session cookies until the Session Time-To-Live (TTL) expires.

TL;DR

Better Auth failed to evict cached sessions from secondary storage (e.g., Redis) when deleting users via admin, anonymous, or SCIM endpoints. Deleted users could continue accessing the system with active cookies for up to 7 days.


Technical Details

  • Vulnerability ID: GHSA-2vg6-77g8-24mp
  • CWE ID: CWE-613, CWE-459, CWE-672
  • Attack Vector: Network
  • CVSS v3.1 Score: 3.8 (Low)
  • Exploit Status: Conceptual / Logic Defect
  • Remediation Status: Patched in v1.6.11

Affected Systems

  • Applications utilizing Better Auth with secondary session storage configuration (Redis, Cloudflare KV, memory-caches)
  • Applications utilizing the Better Auth Admin plugin
  • Applications utilizing the @better-auth/scim plugin for automated identity management
  • Applications utilizing the Better Auth Anonymous user plugin
  • better-auth: >= 0.3.4, < 1.6.11 (Fixed in: 1.6.11)
  • @better-auth/scim: >= 1.6.0, < 1.6.11 (Fixed in: 1.6.11)

Mitigation Strategies

  • Upgrade better-auth packages to version 1.6.11 or later to natively resolve the deletion orchestration bugs.
  • Change session configuration to store sessions directly in the database, allowing relational database cascades to clean up orphaned rows.
  • Wrap administrator and SCIM delete endpoints in a custom utility that explicitly calls revokeUserSessions prior to account destruction.

Remediation Steps:

  1. Verify if 'secondaryStorage' is enabled and 'session.storeSessionInDatabase' is either omitted or explicitly set to false.
  2. Update your project dependencies using npm or yarn: npm install better-auth@1.6.11 @better-auth/scim@1.6.11
  3. If patching is not possible immediately, add session: { storeSessionInDatabase: true } to your auth configuration block.
  4. Review custom admin flows to ensure any manually triggered deleteUser hooks are paired with a corresponding deleteSessions call.

References


Read the full report for GHSA-2VG6-77G8-24MP on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)