{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/cloudflare/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["better-auth","Cloudflare","Vercel Firewall","AWS WAF","Google Cloud Armor"],"_cs_severities":["medium"],"_cs_tags":["rate-limiting","authentication","ipv6","cve-2026-45364"],"_cs_type":"advisory","_cs_vendors":["Cloudflare","Vercel","Fly.io","AWS","Google"],"content_html":"\u003cp\u003eBetter Auth, a Node.js authentication library, is vulnerable to a rate-limiting bypass (CVE-2026-45364) affecting versions before 1.4.17 and pre-release versions before 1.5.0-beta.9. The vulnerability stems from the rate limiter keying requests by the exact textual IP address, allowing IPv6 clients to circumvent rate limits by rotating through numerous source addresses or manipulating the textual encoding of a single IPv6 address. This bypass impacts authentication endpoints like \u003ccode\u003e/sign-in/email\u003c/code\u003e, \u003ccode\u003e/sign-up/email\u003c/code\u003e, and \u003ccode\u003e/forget-password\u003c/code\u003e, making them susceptible to abuse. The issue was addressed in version 1.4.17 by introducing IP address normalization, which involves expanding compressed IPv6 forms, lowercasing hex digits, collapsing IPv4-mapped IPv6 to plain IPv4, and applying a default \u003ccode\u003e/64\u003c/code\u003e prefix mask. Managed hosts including Cloudflare, Vercel, Fly.io, AWS Application Load Balancer, and Google Cloud Load Balancing advertise IPv6 by default, increasing the attack surface.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies an authentication endpoint (e.g., \u003ccode\u003e/sign-in/email\u003c/code\u003e) protected by Better Auth\u0026rsquo;s rate limiter.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a request to the authentication endpoint from an IPv6 address.\u003c/li\u003e\n\u003cli\u003eThe Better Auth rate limiter extracts the leftmost \u003ccode\u003ex-forwarded-for\u003c/code\u003e value without proper normalization.\u003c/li\u003e\n\u003cli\u003eThe attacker rotates the source IPv6 address within their assigned prefix (e.g., a /64 allocation) or modifies the textual encoding of the IPv6 address (e.g., using compressed or mixed forms).\u003c/li\u003e\n\u003cli\u003eThe attacker sends a subsequent request to the same endpoint, using the rotated or modified IPv6 address.\u003c/li\u003e\n\u003cli\u003eThe rate limiter treats the new IPv6 address as a distinct client due to the lack of normalization.\u003c/li\u003e\n\u003cli\u003eThe attacker repeats steps 4-6 to bypass the rate limit and make unlimited authentication attempts.\u003c/li\u003e\n\u003cli\u003eThe attacker performs credential stuffing, account enumeration, or password-reset amplification attacks.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers to bypass rate limiting on authentication endpoints. This can lead to credential stuffing attacks against \u003ccode\u003e/sign-in/email\u003c/code\u003e, enabling unauthorized access to user accounts. Account enumeration becomes easier due to the ability to make unlimited requests without being rate limited. Furthermore, attackers can amplify password-reset and email-verification email fan-out, potentially overwhelming email systems and causing denial of service. While this vulnerability does not directly compromise accounts, it weakens the defense-in-depth and increases the risk of successful attacks.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003ebetter-auth@1.4.17\u003c/code\u003e or later to apply the fix that normalizes IPv6 addresses, mitigating the rate-limiting bypass (see Patches section).\u003c/li\u003e\n\u003cli\u003eIf upgrading is not immediately feasible, and you are on \u003ccode\u003e\u0026gt;= 1.4.16\u003c/code\u003e, set \u003ccode\u003eadvanced.ipAddress.ipv6Subnet: 64\u003c/code\u003e in the auth configuration to restore post-\u003ccode\u003e1.4.17\u003c/code\u003e behavior (see Workarounds section).\u003c/li\u003e\n\u003cli\u003eFor versions \u003ccode\u003e\u0026lt; 1.4.16\u003c/code\u003e, shift the bypass mitigation upstream by configuring IPv6 prefix length limiting on your CDN, WAF, or load balancer to \u003ccode\u003e/64\u003c/code\u003e (or coarser per RFC 6177) (see Workarounds section).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Detect High Volume Authentication Attempts from Single IPv6 /64 Prefix (CVE-2026-45364)\u0026rdquo; to identify potential exploitation attempts by monitoring authentication logs for excessive attempts from the same /64 IPv6 subnet (see Rules section).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-15T17:43:06Z","date_published":"2026-05-15T17:43:06Z","id":"https://feed.craftedsignal.io/briefs/2026-05-better-auth-rate-limit-bypass/","summary":"Better Auth versions before 1.4.17 and pre-release versions before 1.5.0-beta.9 are vulnerable to CVE-2026-45364, a rate-limiting bypass that allows IPv6 clients to rotate through numerous source addresses or vary the textual encoding of one IPv6 address, effectively defeating rate limiting on authentication endpoints, potentially leading to credential stuffing, account enumeration, and amplification of password-reset email fan-out.","title":"Better Auth Rate Limiter Bypass via IPv6 Prefix Rotation (CVE-2026-45364)","url":"https://feed.craftedsignal.io/briefs/2026-05-better-auth-rate-limit-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Cloudflare","version":"https://jsonfeed.org/version/1.1"}