Launch Week Day 1: Announcing Security Design Review
Start for Free
HIGH 8.6 npm

Better Auth's rou3 Dependency has Double-Slash Path Normalization which can Bypass disabledPaths Config and Rate Limits

GHSA-x732-6j76-qmhm

Published · Modified

Description

Summary

An issue in the underlying router library rou3 can cause /path and //path to be treated as identical routes. If your environment does not normalize incoming URLs (e.g., by collapsing multiple slashes), this can allow bypasses of disabledPaths and path-based rate limits.

Details

Better Auth uses better-call, which internally relies on rou3 for routing. Affected versions of rou3 normalize paths by removing empty segments. As a result:

  • /sign-in/email
  • //sign-in/email
  • ///sign-in/email

…all resolve to the same route.

Some production setups automatically collapse multiple slashes. This includes:

In these environments and other configurations where //path reach Better Auth as /path, the issue does not apply.

Fix

Updating rou3 to the latest version resolves the issue:

Better Auth recommends:

  1. Upgrading to Better Auth v1.4.5 or later, which includes the updated rou3.
  2. Ensuring the proxy normalizes URLs.
  3. If project maintainers cannot upgrade yet, they can protect their app by normalizing url before it reaches better-auth handler. See example below:
const req = new Request(...) // this would be the actual request object
const url = new URL(req.url);
const normalizedPath = url.pathname.replace(/\/+/g, "/");

if (url.pathname !== normalizedPath) {
  url.pathname = normalizedPath;
  // Update the raw request pathname
  Object.defineProperty(req, "url", {
    value: url.toString(),
    writable: true,
    configurable: true,
  });
}

Impact

  • Bypass disabledPaths
  • Bypass path-based rate limits

The impact of bypassing disabled paths could vary based on a project's configuration.

References

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes