Brute Force Affecting better-auth package, versions <1.4.17>=1.5.0-beta.1 <1.5.0-beta.9
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JS-BETTERAUTH-16722787
- published17 May 2026
- disclosed10 May 2026
- creditnexryai
Introduced: 10 May 2026
NewCVE-2026-45364 (opens in a new tab)How to fix?
Upgrade better-auth to version 1.4.17, 1.5.0-beta.9 or higher.
Overview
better-auth is a The most comprehensive authentication library for TypeScript.
Affected versions of this package are vulnerable to Brute Force when rate limiting is enabled (which it is by default). The protections of the getIp() function, which constructs rate-limiting keys based on the exact textual IP address from the leftmost x-forwarded-for header value or other configured IP-bearing headers, can be circumvented. An attacker can rotate IPv6 prefixes or vary the textual representation of IPv6 addresses, to make unlimited authentication attempts. Applications that serve clients over IPv4 only are not vulnerable.
Workaround
Version 1.4.16 provides the normalizeIP helper, but the IPv6 prefix length defaults to /128. This does not fully block the attack described because no prefix mask is applied so prefix rotation is possible. In this version, configuring advanced.ipAddress.ipv6Subnet: 64 further mitigates the vulnerability.
Additionally, tightening the customRules window for authentication endpoints can partially reduce the abuse window.