GHSA-9H47-PQCX-HJR4: Insecure Cryptographic Defaults in Better Auth OIDC Provider
Vulnerability ID: GHSA-9H47-PQCX-HJR4
CVSS Score: 9.8
Published: 2026-07-07
The Better Auth framework's OIDC provider implementation (oidcProvider) contained insecure cryptographic defaults before version 1.6.11. It advertised the insecure alg=none signing algorithm and accepted plain PKCE challenges by default, leaving downstream clients vulnerable to token signature bypasses and authorization code interception attacks.
TL;DR
Better Auth prior to v1.6.11 suffered from insecure defaults by advertising alg=none and accepting plain PKCE, enabling token forgery and session hijacking.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-347, CWE-327
- Attack Vector: Network (Unauthenticated)
- CVSS Score: 9.8 (Critical)
- EPSS Score: Not Available (No CVE mapping)
- Impact: Token forgery and authorization code interception
- Exploit Status: Proof-of-concept / Conceptual
- KEV Status: Not Listed
Affected Systems
- Better Auth framework
- oidcProvider component
-
Better Auth: < 1.6.11 (Fixed in:
1.6.11)
Mitigation Strategies
- Upgrade Better Auth to version 1.6.11 or higher to disable insecure defaults.
- Verify OIDC discovery metadata to ensure 'none' is not listed under supported signing algorithms.
- Enforce S256 PKCE challenge methods on both the provider and integrated client sides.
Remediation Steps:
- Execute 'npm install better-auth@1.6.11' to update the library.
- Inspect the '/.well-known/openid-configuration' metadata of your deployment.
- Ensure downstream clients explicitly require 'code_challenge_method=S256' during authorization.
References
Read the full report for GHSA-9H47-PQCX-HJR4 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)