Session Fixation Affecting better-auth package, versions >=1.3.34 <1.4.0

Q: How to fix?

Upgrade better-auth to version 1.4.0 or higher.

Threat Intelligence

Proof of Concept

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk IDSNYK-JS-BETTERAUTH-14135654
published27 Nov 2025
disclosed26 Nov 2025
creditmufeedvh

Report a new vulnerability Found a mistake?

Introduced: 26 Nov 2025

NewCWE-384 (opens in a new tab)

How to fix?

Upgrade better-auth to version 1.4.0 or higher.

Overview

better-auth is a The most comprehensive authentication library for TypeScript.

Affected versions of this package are vulnerable to Session Fixation via the constantTimeEqual function in the crypto/buffer.ts file. An attacker can cause arbitrary user sessions to be revoked by forging cookies containing another user's session token and triggering the sign-out handler.

References

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
Present
Privileges Required (PR)
High
User Interaction (UI)
Passive

Confidentiality (VC)
None
Integrity (VI)
High
Availability (VA)
High

Confidentiality (SC)
None
Integrity (SI)
High
Availability (SA)
High