Better Auth's multi-session sign-out hook allows forged cookies to revoke arbitrary sessions

GHSA-wmjr-v86c-m9jj

Published Nov 26, 2025 · Modified May 8, 2026

Description

Summary

A vulnerability was identified in the multi-session plugin for Better Auth, specifically in the /sign-out after-hook. The hook trusts raw multi-session cookies and forwards the extracted values directly to internalAdapter.deleteSessions without verifying the cookie signature. Because cookie values are not validated with getSignedCookie (or any equivalent check), an attacker can supply a forged _multi-* cookie to trigger deletion of arbitrary session tokens.

References

WEB https://github.com/better-auth/better-auth/security/advisories/GHSA-wmjr-v86c-m9jj
WEB https://github.com/better-auth/better-auth/commit/cfc453a2a6eb02951f9a0a7c944064936e73eee8
PACKAGE https://github.com/better-auth/better-auth
WEB https://github.com/better-auth/better-auth/releases/tag/v1.4.0

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes