Summary
Better Auth has insecure cryptographic defaults in oidcProvider: alg=none advertised and plain PKCE accepted by default
Full technical description
Am I affected?
Users are affected if all of the following are true:
- Their application uses
better-authat a version below the patched release. - Their application enables
oidcProvider()frombetter-auth/plugins/oidc-providerormcp()frombetter-auth/plugins/mcp(the mcp plugin delegates tooidcProviderand inherits both defaults). - For the algorithm-negotiation impact: relying parties of the application's OIDC server use a JWT verification library that performs algorithm negotiation from the discovery document without pinning to a specific signing algorithm.
- For the PKCE impact: the authorization URL is exposed to any party other than the user agent and the application's OP.
If the application only uses @better-auth/oauth-provider (the canonical replacement) and have not enabled the legacy plugins, it is not affected. The new package's discovery document excludes none and its authorize schema rejects plain at parse time.
Fix:
- Upgrade to
[email protected]or later. - Migrate from the deprecated
oidcProviderandmcpplugins to@better-auth/oauth-providerwhen feasible. - If developers cannot upgrade their applications, see workarounds below.
The legacy oidcProvider and mcp plugins exhibit two related defects in their OIDC discovery and authorize surfaces.
The discovery document advertises "none" in id_token_signing_alg_values_supported (and, for mcp, in resource_signing_alg_values_supported on the OAuth protected-resource metadata). Any relying party that performs algorithm negotiation from this metadata without pinning to a real signing algorithm may accept unsigned tokens.
PKCE plain is enabled by default. The runtime gate in the authorize handler accepts code_challenge_method=plain under this default, and a missing code_challenge_method parameter is silently downgraded to "plain" before the allowlist check. Discovery advertises code_challenge_methods_supported: ["S256"], contradicting the runtime acceptance of plain. RFC 9700 §2.1.1 (OAuth 2.1) explicitly forbids plain.
Details
The metadata builders unconditionally inject "none" into the alg list. The runtime authorize gate is structured so a buggy client that strips the code_challenge_method parameter still enters the plain code path because the handler rewrites the missing value to "plain" before the allowlist check fires.
@better-auth/oauth-provider (the deprecation target for oidcProvider) is not affected by either defect. The metadata builder uses a JWSAlgorithms type union that structurally excludes "none". The authorize schema is code_challenge_method: z.literal("S256").optional(), which rejects plain at parse time.
Workarounds
If developers cannot upgrade their applications immediately:
- Disable plain PKCE explicitly: set
oidcProvider({ allowPlainCodeChallengeMethod: false })(and the equivalent onmcp). Closes the runtime acceptance ofplaineven though the silent downgrade still rewrites missing methods. - Override the metadata to drop
"none"fromid_token_signing_alg_values_supported. ForoidcProvider, passmetadata: { id_token_signing_alg_values_supported: ["RS256"] }. Formcp, set the same onoptions.oidcConfig.metadata. Verify by curling the.well-knownendpoint. - Migrate to
@better-auth/oauth-provider: the package is the deprecation target and is unaffected by both defects.
Credit
Reported by @subhanUmer.
Resources
Impact
- Algorithm-negotiation downgrade: relying parties that read the discovery document without pinning may accept unsigned (
alg: "none") tokens. - Authorization-code interception: PKCE
plaindoes not protect the authorization code if the URL leaks (Referer headers, browser history, screen capture, proxy logs). PKCES256is what protects against that exposure; withplainthe protection is absent. - OAuth 2.1 / RFC 9700 non-conformance: deployments shipping the defaults are non-compliant with current standards.
The application uses a cryptographic algorithm known to have weaknesses, such as MD5, SHA-1, or DES. Typical impact: compromised confidentiality or integrity of protected data.
GHSA-9H47-PQCX-HJR4 has a CVSS score of 8.7 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.6.11); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Already deployed Kodem?
See it in your environmentNew to Kodem? Get a demo →Remediation advice
Fixed in [email protected]. The legacy oidcProvider and mcp plugins now:
- Drop
"none"fromid_token_signing_alg_values_supported(both plugins) and fromresource_signing_alg_values_supported(mcp). Discovery no longer advertises the unsigned-token option. - Default
allowPlainCodeChallengeMethodtofalse. A request that explicitly passescode_challenge_method=plainis rejected withinvalid_requestunless the integrator opts in. - Reject a
code_challengewithout an accompanyingcode_challenge_methodinstead of silently rewriting the missing value toplain. Clients that sendcode_challengemust also sendcode_challenge_method=S256.
Discovery and runtime behavior align on S256 only by default.
Integrators who must keep plain PKCE for legacy clients can restore the previous shape with oidcProvider({ allowPlainCodeChallengeMethod: true }) (and likewise for mcp). With the opt-in set, a request that omits code_challenge_method is treated as plain again, preserving backwards compatibility while keeping the secure default for everyone else. Both legacy plugins are deprecated long-term; the recommended migration is @better-auth/oauth-provider, which never advertised none or accepted plain PKCE.
Frequently Asked Questions
- What is GHSA-9H47-PQCX-HJR4? GHSA-9H47-PQCX-HJR4 is a high-severity use of a broken or risky cryptographic algorithm vulnerability in better-auth (npm), affecting versions < 1.6.11. It is fixed in 1.6.11. The application uses a cryptographic algorithm known to have weaknesses, such as MD5, SHA-1, or DES.
- How severe is GHSA-9H47-PQCX-HJR4? GHSA-9H47-PQCX-HJR4 has a CVSS score of 8.7 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of better-auth are affected by GHSA-9H47-PQCX-HJR4? better-auth (npm) versions < 1.6.11 is affected.
- Is there a fix for GHSA-9H47-PQCX-HJR4? Yes. GHSA-9H47-PQCX-HJR4 is fixed in 1.6.11. Upgrade to this version or later.
- Is GHSA-9H47-PQCX-HJR4 exploitable, and should I be worried? Whether GHSA-9H47-PQCX-HJR4 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether GHSA-9H47-PQCX-HJR4 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix GHSA-9H47-PQCX-HJR4? Upgrade
better-authto 1.6.11 or later.