Summary
Am I affected?
Users are affected if all of the following are true:
- The application uses
better-authat a version below1.6.2(or@better-auth/ssopaired with such a version). betterAuth({ account: { storeStateStrategy } })is set to"cookie". The default"database"is not affected.- The application wires at least one OAuth provider through
genericOAuth({ config })withpkce: false, or it supplies a customgetTokenortokenUrlthat does not require the storedcodeVerifier. Stock social providers with PKCE on are not affected. - The provider returns arbitrary
codevalues to the configured callback URL.
If users are on [email protected] or later, they are not affected.
Fix:
- Upgrade to
[email protected]or later (current stable is1.6.10). - If users cannot upgrade, see workarounds below.
In parseGenericState, the cookie branch decrypted the oauth_state cookie and validated expiry, but did not compare the incoming OAuth state query parameter to the nonce that generateGenericState issued at sign-in. Any callback to /api/auth/oauth2/callback/<providerId> that arrived with a forged state and any code was therefore accepted as long as the browser still held a live oauth_state cookie. With pkce: false (or any getToken path that does not enforce a code-verifier round-trip), an attacker who forced the victim to deliver an attacker-controlled authorization code to the callback would mint a session bound to the attacker's external identity in the victim's browser. Account-linking flows behaved the same way, binding the attacker's external account to an authenticated victim row.
Details
The cookie branch of parseGenericState did not compare the cookie's stored nonce to the incoming state parameter. The database branch (the default) was not affected because the verification row is keyed by state and the lookup itself enforces equality.
The fix re-binds the cookie to the nonce: generateGenericState writes oauthState: state into the encrypted payload before storage, and parseGenericState rejects when parsedData.oauthState !== state. The same primitive covers every caller (generic-oauth, social, account-link, oauth-proxy passthrough, OIDC SSO, SAML relay state).
Workarounds
If users cannot upgrade immediately:
- Switch
storeStateStrategyback to"database"(the default). This closes the cookie-only bypass without a code change. - Enable
pkce: trueon every affectedgenericOAuthprovider. ThecodeVerifieris the missing primitive that the attacker cannot supply.
Credit
Reported by @Jvr2022 via private advisory disclosure, and by @alavesa (PatchPilots audit) via the public duplicate issue #8897.
Resources
Impact
- Forced-login (CSRF on OAuth callback): the attacker forces the victim's browser into an authenticated session bound to the attacker's external identity, allowing the attacker to observe the victim's actions inside the application.
- Persistent account linking: account-link flows bind the attacker's external account to the victim's authenticated row, granting persistent access until the link is removed.
The application does not adequately verify the identity of a user, device, or process before granting access. Typical impact: unauthorized access to functions or data reserved for authenticated parties.
GHSA-WXW3-Q3M9-C3JR has a CVSS score of 5.3 (Medium). The vector is network-reachable, no privileges required, and user interaction required. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.6.2); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Remediation advice
Fixed in [email protected] via PR #8949 (commit 9deb7936a, merged 2026-04-09). The cookie branch of parseGenericState now rejects when the encrypted payload's nonce does not match the incoming state parameter; the database branch gained a defense-in-depth equality check.
Frequently Asked Questions
- What is GHSA-WXW3-Q3M9-C3JR? GHSA-WXW3-Q3M9-C3JR is a medium-severity improper authentication vulnerability in better-auth (npm), affecting versions < 1.6.2. It is fixed in 1.6.2. The application does not adequately verify the identity of a user, device, or process before granting access.
- How severe is GHSA-WXW3-Q3M9-C3JR? GHSA-WXW3-Q3M9-C3JR has a CVSS score of 5.3 (Medium). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of better-auth are affected by GHSA-WXW3-Q3M9-C3JR? better-auth (npm) versions < 1.6.2 is affected.
- Is there a fix for GHSA-WXW3-Q3M9-C3JR? Yes. GHSA-WXW3-Q3M9-C3JR is fixed in 1.6.2. Upgrade to this version or later.
- Is GHSA-WXW3-Q3M9-C3JR exploitable, and should I be worried? Whether GHSA-WXW3-Q3M9-C3JR is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether GHSA-WXW3-Q3M9-C3JR is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix GHSA-WXW3-Q3M9-C3JR? Upgrade
better-authto 1.6.2 or later.