Better-Auth Account Takeover (cve-2025-61928) Found via Zeropath
Posted3 months agoActive2 months ago
zeropath.comTechstory
calmnegative
Debate
20/100
SecurityVulnerabilityAuthentication
Key topics
Security
Vulnerability
Authentication
A security vulnerability (CVE-2025-61928) was discovered in Better-auth, allowing unauthenticated API key creation, and the discussion revolves around the implications and potential fixes for this issue.
Snapshot generated from the HN discussion
Discussion Activity
Light discussionFirst comment
3m
Peak period
2
0-1h
Avg / period
1.3
Key moments
- 01Story posted
Oct 19, 2025 at 3:44 PM EDT
3 months ago
Step 01 - 02First comment
Oct 19, 2025 at 3:48 PM EDT
3m after posting
Step 02 - 03Peak activity
2 comments in 0-1h
Hottest window of the conversation
Step 03 - 04Latest activity
Oct 19, 2025 at 7:56 PM EDT
2 months ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
ID: 45637295Type: storyLast synced: 11/17/2025, 9:05:45 AM
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
The vulnerability is a logic error in how the API keys plugin determines user context when a userId is specified. Fix is in version 1.3.26. This is the kind of business logic flaw that traditional dependency vetting (stars, existing CVEs, reputation) doesn't catch. We're working on tooling to make these audits more practical at scale.