216.73.216.6

CVE-2026-45364

· Published 28/05/2026 22:17 · Modified 28/05/2026 22:17

Labels: CVE-2026-45364 2026-05-28CVE-2026-45364CWE-307[email protected]

Essential information

Published
28/05/2026 22:17
Modified
28/05/2026 22:17
Author
Creator
CVSS
7.3 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CVSS metrics

Description

Better Auth is an authentication and authorization library for TypeScript. Prior to 1.4.17 and 1.5.0-beta.9, Better Auth's HTTP rate limiter keyed each request by the exact textual IP address it received in x-forwarded-for (or the configured IP-bearing header). IPv6 clients controlling a typical /64 allocation could rotate through 2^64 distinct source addresses without exhausting the per-address counter, defeating rate limiting on /sign-in/email, /sign-up/email, /forget-password, and every other path the limiter protects. The same bug allowed a single client to vary the textual encoding of one IPv6 address (uppercase, compression, IPv4-mapped, hex-encoded IPv4-in-IPv6) and produce multiple distinct keys. This vulnerability is fixed in 1.4.17 and 1.5.0-beta.9.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
better auth / better auth cpe:2.3:a:better_auth:better_auth:<1.4.17:*:*:*:*:*:*:*
better auth / better auth cpe:2.3:a:better_auth:better_auth:<1.5.0-beta.9:*:*:*:*:*:*:*

References