DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-9H47-PQCX-HJR4: GHSA-9H47-PQCX-HJR4: Insecure Cryptographic Defaults in Better Auth OIDC Provider

GHSA-9H47-PQCX-HJR4: Insecure Cryptographic Defaults in Better Auth OIDC Provider

Vulnerability ID: GHSA-9H47-PQCX-HJR4
CVSS Score: 9.8
Published: 2026-07-07

The Better Auth framework's OIDC provider implementation (oidcProvider) contained insecure cryptographic defaults before version 1.6.11. It advertised the insecure alg=none signing algorithm and accepted plain PKCE challenges by default, leaving downstream clients vulnerable to token signature bypasses and authorization code interception attacks.

TL;DR

Better Auth prior to v1.6.11 suffered from insecure defaults by advertising alg=none and accepting plain PKCE, enabling token forgery and session hijacking.


⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-347, CWE-327
  • Attack Vector: Network (Unauthenticated)
  • CVSS Score: 9.8 (Critical)
  • EPSS Score: Not Available (No CVE mapping)
  • Impact: Token forgery and authorization code interception
  • Exploit Status: Proof-of-concept / Conceptual
  • KEV Status: Not Listed

Affected Systems

  • Better Auth framework
  • oidcProvider component
  • Better Auth: < 1.6.11 (Fixed in: 1.6.11)

Mitigation Strategies

  • Upgrade Better Auth to version 1.6.11 or higher to disable insecure defaults.
  • Verify OIDC discovery metadata to ensure 'none' is not listed under supported signing algorithms.
  • Enforce S256 PKCE challenge methods on both the provider and integrated client sides.

Remediation Steps:

  1. Execute 'npm install better-auth@1.6.11' to update the library.
  2. Inspect the '/.well-known/openid-configuration' metadata of your deployment.
  3. Ensure downstream clients explicitly require 'code_challenge_method=S256' during authorization.

References


Read the full report for GHSA-9H47-PQCX-HJR4 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)