Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-4vcf-q4xf-f48m: Better Auth Passkey Plugin allows passkey deletion through IDOR

Summary

Affected versions of the better-auth passkey plugin allow users with any valid session to delete arbitrary passkeys via their ID using POST /passkey/delete-passkey.

Details

ctx.body.id is implicitly trusted and used in passkey deletion queries.

better-auth applications configured with useNumberId may use auto incrementing IDs which makes it trivial to delete all passkeys via enumeration.

ghsa
Open in Source
#nodejs#git#auth
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. GHSA-4vcf-q4xf-f48m

Better Auth Passkey Plugin allows passkey deletion through IDOR

High severity GitHub Reviewed Published Nov 24, 2025 in better-auth/better-auth • Updated Nov 25, 2025

Package

npm @better-auth/passkey (npm)

Affected versions

< 1.4.0

Summary

Affected versions of the better-auth passkey plugin allow users with any valid session to delete arbitrary passkeys via their ID using POST /passkey/delete-passkey.

Details

ctx.body.id is implicitly trusted and used in passkey deletion queries.

better-auth applications configured with useNumberId may use auto incrementing IDs which makes it trivial to delete all passkeys via enumeration.

References

  • GHSA-4vcf-q4xf-f48m
  • better-auth/better-auth@06d68239e

Published to the GitHub Advisory Database

Nov 25, 2025

Last updated

Nov 25, 2025

ghsa: Latest News

GHSA-x6vr-q3vf-vqgq: REDAXO CMS is vulnerable to Reflected XSS in Mediapool Info Banner via args[types]
ghsa