CVE-2026-45364: Better Auth IPv6 Rate Limiter Bypass
Better Auth, a TypeScript authentication library, contained a rate-limiting bypass that allowed attackers to circumvent protections on sensitive endpoints like sign-in, sign-up, and password reset. The vulnerability exploited how the library handled IPv6 addresses in rate-limiting checks. IPv6 clients could generate an enormous number of distinct request origins (up to 2^64 per /64 subnet) by rotating through different source addresses, or bypass limits by varying how a single IPv6 address was encoded (uppercase vs. lowercase, compressed vs. full format, IPv4-mapped notation). This rendered rate limiting ineffective against brute-force attacks on authentication endpoints. Fixed in versions 1.4.17 and 1.5.0-beta.9.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-307
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
Better Auth is an authentication and authorization library for TypeScript. Prior to 1.4.17 and 1.5.0-beta.9, Better Auth's HTTP rate limiter keyed each request by the exact textual IP address it received in x-forwarded-for (or the configured IP-bearing header). IPv6 clients controlling a typical /64 allocation could rotate through 2^64 distinct source addresses without exhausting the per-address counter, defeating rate limiting on /sign-in/email, /sign-up/email, /forget-password, and every other path the limiter protects. The same bug allowed a single client to vary the textual encoding of one IPv6 address (uppercase, compression, IPv4-mapped, hex-encoded IPv4-in-IPv6) and produce multiple distinct keys. This vulnerability is fixed in 1.4.17 and 1.5.0-beta.9.
5 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from how Better Auth's HTTP rate limiter constructs its cache keys. The library directly uses the textual representation of the IP address extracted from x-forwarded-for (or a configured IP-bearing header) without normalizing the IPv6 address format. IPv6 addresses can be represented multiple valid ways (e.g., 2001:db8::1 vs. 2001:0db8:0000:0000:0000:0000:0000:0001 vs. ::ffff:192.0.2.1 for IPv4-mapped), each producing a distinct string and thus a distinct rate-limit counter entry. Additionally, IPv6 clients with a /64 allocation control 2^64 unique addresses, allowing them to send requests from different source IPs within that range without triggering cumulative rate-limit thresholds. The issue affects all endpoints protected by the library's rate limiter, including /sign-in/email, /sign-up/email, /forget-password, and others.
Business impact
Applications using vulnerable versions of Better Auth face a substantially elevated risk of credential compromise and account takeover. Attackers can bypass rate limiting to conduct brute-force password attacks, enumerate valid email addresses during sign-up, or repeatedly attempt password reset flows without triggering defensive mechanisms. The impact scales with the sensitivity of the authentication logic and the value of the accounts under attack. Compliance postures may also suffer if rate limiting was relied upon to meet regulatory or contractual security requirements.
Affected systems
Any application using Better Auth versions prior to 1.4.17 or 1.5.0-beta.9 is affected. This includes both TypeScript/Node.js applications and those deployed behind reverse proxies that forward client IP via x-forwarded-for or similar headers. Systems that rely on IPv6 connectivity are particularly vulnerable because attackers have access to a far larger pool of source addresses per customer allocation.
Exploitability
Exploitation requires no special privileges, authentication, or user interaction. An attacker with network access can immediately craft requests with varying IPv6 source addresses or encodings to bypass rate limits. The barrier to entry is low: basic familiarity with IPv6 addressing and HTTP requests is sufficient. No exploit code or active KEV activity has been published, but the attack is straightforward to implement once the vulnerability is understood. Organizations using vulnerable versions should treat this as actively exploitable.
Remediation
Update Better Auth to version 1.4.17 or 1.5.0-beta.9 or later immediately. The fix normalizes IPv6 addresses before using them as rate-limit keys, ensuring that different textual representations of the same address, and addresses within the same /64 allocation, map to the same counter. After patching, consider resetting rate-limit counters to prevent stale state from interfering with the corrected logic.
Patch guidance
1. Review your dependency lock file to confirm the installed version of Better Auth. 2. Update to 1.4.17 (for the 1.4.x branch) or 1.5.0-beta.9 (for the 1.5.x beta) or any later release. 3. Test authentication flows (sign-in, sign-up, password reset) in a staging environment to ensure rate limiting now functions correctly. 4. Monitor rate-limit metrics post-deployment to confirm the corrected behavior is in place. 5. If you customized IP-bearing headers in your Better Auth configuration, verify that the normalization applies to your chosen header.
Detection guidance
Review access logs for patterns consistent with rate-limit bypass: multiple failed authentication attempts from different IPv6 addresses within the same /64 subnet, or repeated attempts using different encodings of the same IPv6 address (e.g., compressed and uncompressed forms). Monitor authentication endpoints for unusual spikes in failed login attempts or password reset requests. If you have rate-limit middleware upstream of Better Auth, verify that it is also normalizing IPv6 addresses consistently. Set alerts for repeated failed authentication attempts across multiple apparent source IPs that resolve to the same organizational or ISP allocation.
Why prioritize this
This vulnerability rates HIGH (CVSS 7.3) and should be prioritized for immediate patching. It directly undermines a critical security control—rate limiting on authentication endpoints—and enables brute-force attacks with minimal effort. Unlike vulnerabilities that require social engineering or user interaction, this bypass is automatic and does not depend on user behavior. Organizations using Better Auth for production authentication should patch within 24–48 hours.
Risk score, explained
The CVSS 3.1 score of 7.3 reflects a network-accessible vulnerability (AV:N) with low attack complexity (AC:L) requiring no privileges or user interaction (PR:N, UI:N). The scope is unchanged (S:U), and the impact across confidentiality, integrity, and availability is low (C:L, I:L, A:L). The 'Low' impact designation reflects that the vulnerability does not directly grant code execution or full system compromise, but rather enables a class of attacks (brute-force) that can lead to account compromise, data theft, and service disruption. The score appropriately captures the broad attack surface and ease of exploitation.
Frequently asked questions
Do I need to update if I'm not using IPv6?
IPv6 support depends on your network infrastructure and how your reverse proxy forwards client IPs. If your organization does not receive or forward IPv6 addresses, the /64 exhaustion vector is not applicable. However, the textual encoding bypass (uppercase vs. lowercase, compressed vs. full notation) still applies to IPv6 if it is ever forwarded, making patching advisable as a defense-in-depth measure.
Can I work around this without updating if I cannot patch immediately?
Temporarily reduce rate limits to shorter windows and lower thresholds on sensitive endpoints like /sign-in/email and /forget-password. Implement IP normalization in your reverse proxy or middleware before the request reaches Better Auth. Deploy a separate rate-limiting service (e.g., redis-based) that normalizes IPv6 addresses and enforce it upstream. These mitigations reduce exposure but do not fully resolve the issue; prioritize upgrading as soon as possible.
Will the fix affect legitimate users behind a shared IPv6 /64?
Yes, potentially. If legitimate users share a /64 allocation (e.g., a large corporate network or ISP customer block), they now share a single rate-limit counter. If one user exceeds the limit, all users on that /64 may be temporarily blocked. Monitor user feedback and adjust rate-limit thresholds if necessary to balance security and usability.
Is there a way to verify that the fix is working?
After upgrading, test authentication endpoints from multiple IPv6 addresses within the same /64 subnet and from differently-encoded representations of the same IPv6 address. Confirm that all requests increment the same rate-limit counter. Monitor logs and metrics to ensure rate limits trigger consistently. Load-test with known-bad patterns (brute-force-like traffic) to validate that protection is restored.
This analysis is provided for informational purposes and reflects the state of knowledge as of the publication date. Version numbers, patch availability, and CVSS scores referenced herein are based on the vulnerability record and vendor advisories at the time of writing. Organizations should verify patch availability and compatibility with their specific deployment before applying updates. SEC.co does not endorse or warrant the completeness, accuracy, or reliability of any remediation advice; consult your vendor's official documentation and your own security team when making patching decisions. No exploit code or step-by-step weaponization guidance is provided herein. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2026-35675HIGHphpMyFAQ Password Reset Authentication Bypass – Account Takeover
- CVE-2026-36607HIGHMercusys AC12G Router Brute-Force Vulnerability – Rate Limiting Bypass
- CVE-2026-10216LOWWeak Authentication Rate-Limiting in unitedbyai Droidclaw
- CVE-2026-36612MEDIUMMercusys AC12G Weak WPS Lockout Policy Enables Router Compromise
- CVE-2018-25382HIGHZechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25383HIGHFree MP3 CD Ripper 2.8 Stack Overflow – ROP and DEP Bypass Risk
- CVE-2018-25385HIGHUnauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10
- CVE-2018-25386HIGHSQL Injection in HaPe PKH 1.1 Admin Interface