Use of Web Browser Cache Containing Sensitive Information in better-call

Q: How to fix?

Upgrade better-call to version 1.0.12 or higher.

Introduced: 11 Jul 2025

How to fix?

Upgrade better-call to version 1.0.12 or higher.

Overview

better-call is a Better call is a tiny web framework for creating endpoints that can be invoked as a normal function or mounted to a router to be served by any web standard compatible server (like Bun, node, nextjs, sveltekit...) and also includes a typed RPC client for t

Affected versions of this package are vulnerable to Use of Web Browser Cache Containing Sensitive Information via insufficient path sanitization in the request processing logic. An attacker can access sensitive user session data by crafting requests that mimic static asset paths, causing a CDN to cache and serve sensitive responses to unauthorized users.

References

GitHub Commit

CVSS Base Scores

version 4.0

version 3.1

Attack Vector (AV)
Network
Attack Complexity (AC)
Low
Attack Requirements (AT)
None
Privileges Required (PR)
Low
User Interaction (UI)
None

Confidentiality (VC)
High
Integrity (VI)
None
Availability (VA)
None

Confidentiality (SC)
None
Integrity (SI)
None
Availability (SA)
None

Use of Web Browser Cache Containing Sensitive Information Affecting better-call package, versions <1.0.12

Severity

Do your applications use this vulnerable package?

Introduced: 11 Jul 2025

How to fix?

Overview

References

CVSS Base Scores

Snyk