EXECUTIVE SUMMARY:
CVE-2026-45364 with a CVSS score of 7.3 is a vulnerability in the Better Auth package that affects versions less than 1.4.17 and versions greater than or equal to 1.5.0-beta.1 and less than 1.5.0-beta.9, allowing an attacker to bypass IPv6 address rate limiting via prefix rotation. The vulnerability occurs when the rate limiter keys IPv6 addresses individually without properly normalizing them, allowing a single client to rotate through 2^64 distinct source addresses without exhausting the per-address counter. An attacker can exploit this vulnerability by sending requests from a client reachable over IPv6, with the rate-limit configuration enabled and relying on the leftmost `x-forwarded-for` value or any other configured IP-bearing header. If exploited, an attacker gains the capability to bypass rate limiting on authentication endpoints, potentially leading to excessive resource consumption or denial of service. This vulnerability has significant business impact, as it can be exploited by attackers to compromise the security of authentication systems, potentially resulting in financial losses or reputational damage. The exploitation of this vulnerability requires that the affected application serves clients reachable over IPv6 and that the rate-limit configuration is enabled.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-45364 with a CVSS score of 7.3 is a vulnerability in the Better Auth package that affects versions less than 1.4.17 and versions greater than or equal to 1.5.0-beta.1 and less than 1.5.0-beta.9, allowing an attacker to bypass IPv6 address rate limiting via prefix rotation. The vulnerability occurs when the rate limiter keys IPv6 addresses individually without properly normalizing them, allowing a single client to rotate through 2^64 distinct source addresses without exhausting the per-address counter. An attacker can exploit this vulnerability by sending requests from a client reachable over IPv6, with the rate-limit configuration enabled and relying on the leftmost `x-forwarded-for` value or any other configured IP-bearing header. If exploited, an attacker gains the capability to bypass rate limiting on authentication endpoints, potentially leading to excessive resource consumption or denial of service. This vulnerability has significant business impact, as it can be exploited by attackers to compromise the security of authentication systems, potentially resulting in financial losses or reputational damage. The exploitation of this vulnerability requires that the affected application serves clients reachable over IPv6 and that the rate-limit configuration is enabled.[emaillocker id="1283"]
RECOMMENDATION:
We recommend you to update better-auth to version 1.4.17, 1.5.0-beta.9.
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-p6v2-xcpg-h6xw