Better-Auth Flaw Allows Unauthenticated API Key Creation

The better‑auth library, with roughly 300,000 weekly npm downloads, is a cornerstone for many Node.js applications that rely on API‑key authentication for service‑to‑service communication. By allowing a request that includes a userId to skip session validation, the library inadvertently grants attackers the ability to generate or modify API keys without any credential. This type of authorization bypass is especially dangerous because API keys often operate without multi‑factor authentication and remain valid indefinitely, turning a single compromised token into a persistent foothold.

From a risk‑management perspective, the vulnerability underscores the broader challenge of third‑party component security. Organizations that embed open‑source authentication libraries must adopt rigorous software composition analysis, maintain an up‑to‑date SBOM, and enforce zero‑trust principles that verify identity on every privileged action. The exploit’s low complexity—merely sending a POST to /api/auth/api-key/create with a victim's userId—means that any environment exposing that endpoint without additional checks is at immediate risk. Consequently, security teams should prioritize patch deployment, enforce strict least‑privilege scopes for API keys, and implement expiration policies to limit blast radius.

Mitigation steps extend beyond a simple upgrade. Enterprises should rotate all API keys generated during the potential exposure window, invalidate stale credentials, and enable robust logging and rate‑limiting on key‑creation endpoints. Real‑time monitoring for anomalous IP addresses or automation patterns can surface abuse early, while incident‑response playbooks must incorporate authentication‑bypass scenarios. By combining timely patching with disciplined credential governance, organizations can restore confidence in their API‑driven architectures and reduce the likelihood of similar supply‑chain attacks in the future.