{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/better-auth/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["authentication","2fa","bypass","better-auth"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eBetter Auth versions prior to 1.4.9 contain a critical vulnerability that can lead to two-factor authentication (2FA) bypass. The vulnerability arises when the \u003ccode\u003esession.cookieCache\u003c/code\u003e is enabled. In this configuration, the initial session created during the login process can be prematurely cached before the 2FA verification is completed. Consequently, subsequent session lookups might use this cached session, circumventing the necessary 2FA check. This issue allows an attacker who possesses valid primary credentials to gain unauthorized access to protected application routes without completing the mandated second authentication factor. Any application leveraging \u003ccode\u003ebetter-auth\u003c/code\u003e with 2FA and session cookie caching enabled is potentially vulnerable.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUser attempts to log in with valid username and password.\u003c/li\u003e\n\u003cli\u003eThe application, running a vulnerable version of \u003ccode\u003ebetter-auth\u003c/code\u003e with \u003ccode\u003esession.cookieCache\u003c/code\u003e enabled, creates a session.\u003c/li\u003e\n\u003cli\u003eThe session is cached due to the \u003ccode\u003esession.cookieCache\u003c/code\u003e setting, \u003cem\u003ebefore\u003c/em\u003e the 2FA challenge is presented.\u003c/li\u003e\n\u003cli\u003eThe user is prompted for their second factor (e.g., TOTP code).\u003c/li\u003e\n\u003cli\u003eInstead of providing the 2FA code, the attacker intercepts or reuses the cached session cookie.\u003c/li\u003e\n\u003cli\u003eThe attacker presents the cached session cookie to the application.\u003c/li\u003e\n\u003cli\u003eThe application retrieves the cached session, which it prematurely considers valid.\u003c/li\u003e\n\u003cli\u003eThe attacker gains access to protected resources without completing 2FA.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows attackers with valid usernames and passwords to bypass two-factor authentication, gaining unauthorized access to sensitive application resources. The number of affected applications is unknown, but all applications using \u003ccode\u003ebetter-auth\u003c/code\u003e with 2FA and session caching are potentially at risk. A successful attack could lead to data breaches, account takeovers, and other serious security incidents.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to \u003ccode\u003ebetter-auth\u003c/code\u003e version 1.4.9 or later to patch the vulnerability.\u003c/li\u003e\n\u003cli\u003eDisable \u003ccode\u003esession.cookieCache\u003c/code\u003e when using two-factor authentication as a temporary mitigation.\u003c/li\u003e\n\u003cli\u003eIf disabling \u003ccode\u003esession.cookieCache\u003c/code\u003e is not feasible, implement server-side checks to ensure 2FA is completed before granting full session validity (requires code modification).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-03T03:29:59Z","date_published":"2026-04-03T03:29:59Z","id":"/briefs/2024-01-02-better-auth-2fa-bypass/","summary":"Better Auth versions prior to 1.4.9 have a critical two-factor authentication bypass vulnerability; when session.cookieCache is enabled, the initial sign-in session may be improperly cached, allowing attackers with valid credentials to bypass 2FA.","title":"Better Auth Two-Factor Authentication Bypass Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-02-better-auth-2fa-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Better-Auth","version":"https://jsonfeed.org/version/1.1"}