Headline
GHSA-hq75-xg7r-rx6c: Better Call routing bug can lead to Cache Deception
Summary
Using a CDN that caches (/**/*.png, /**/*.json, /**/*.css, etc…) requests, a cache deception can emerge. This could lead to unauthorized access to user sessions and personal data when cached responses are served to other users.
Details
The vulnerability occurs in the request processing logic where path sanitization is insufficient. The library splits the path using config.basePath but doesn’t properly validate the remaining path components. This allows specially crafted requests that appear to be static assets (like /api/auth/get-session/api/auth/image.png assuming config.basePath=/api/auth) to bypass typical CDN cache exclusion rules while actually returning sensitive data.
The problematic code here:
const processRequest = async (request: Request) => {
const url = new URL(request.url);
const path = config?.basePath ? url.pathname.split(config.basePath)[1] : url.pathname;
Since this library is largely coupled with better-auth, it becomes more clear why this can be dangerous with an example request:
<img width="800" alt="image" src="https://github.com/user-attachments/assets/2ab7c4dd-0700-4f59-863f-79f2b5edbb37" />
Impact
This is a cache deception vulnerability affecting better-call users with CDN caching enabled. which can expose sensitive data.
Summary
Using a CDN that caches (//.png, //.json, /*/.css, etc…) requests, a cache deception can emerge. This could lead to unauthorized access to user sessions and personal data when cached responses are served to other users.
Details
The vulnerability occurs in the request processing logic where path sanitization is insufficient. The library splits the path using config.basePath but doesn’t properly validate the remaining path components. This allows specially crafted requests that appear to be static assets (like /api/auth/get-session/api/auth/image.png assuming config.basePath=/api/auth) to bypass typical CDN cache exclusion rules while actually returning sensitive data.
The problematic code here:
const processRequest \= async (request: Request) \=> {
const url \= new URL(request.url);
const path \= config?.basePath ? url.pathname.split(config.basePath)\[1\] : url.pathname;
Since this library is largely coupled with better-auth, it becomes more clear why this can be dangerous with an example request:
Impact
This is a cache deception vulnerability affecting better-call users with CDN caching enabled. which can expose sensitive data.
References
- GHSA-hq75-xg7r-rx6c
- Bekacru/better-call@7c7d31b