Cross-site Request Forgery (CSRF) Affecting better-auth package, versions <1.6.2
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-BETTERAUTH-16722768
- published17 May 2026
- disclosed15 May 2026
- creditJvr,Piia
Introduced: 15 May 2026
New CVE NOT AVAILABLE CWE-345 (opens in a new tab)How to fix?
Upgrade better-auth to version 1.6.2 or higher.
Overview
better-auth is a The most comprehensive authentication library for TypeScript.
Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) when building an errorURL in parseGenericState, when the storeStateStrategy is set to "cookie" and PKCE is disabled. An attacker can gain unauthorized access to a victim's session or link their external account to the victim's authenticated account by convincing a user to follow a malicious OAuth callback URL with a forged state and arbitrary code, while the target browser holds a valid oauth_state cookie.
Workaround
This vulnerability can be avoided by setting the storeStateStrategy to "database" or enabling PKCE (pkce: true) on all affected OAuth providers.