logo

Advisories

Weaknesses

Fixes

Requirements

Compliance

GHSA-hq75-xg7r-rx6c better-call

Package

Manager: npm
Name: better-call
Vulnerable Version: >=0 <1.0.12

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U

EPSS: N/A pctlN/A

Details

Better Call routing bug can lead to Cache Deception ### Summary Using a CDN that caches (`/**/*.png`, `/**/*.json`, `/**/*.css`, etc...) requests, a cache deception can emerge. This could lead to unauthorized access to user sessions and personal data when cached responses are served to other users. ### Details The vulnerability occurs in the request processing logic where path sanitization is insufficient. The library splits the path using `config.basePath` but doesn't properly validate the remaining path components. This allows specially crafted requests that appear to be static assets (like `/api/auth/get-session/api/auth/image.png` assuming `config.basePath`=`/api/auth`) to bypass typical CDN cache exclusion rules while actually returning sensitive data. The problematic code [here](https://github.com/Bekacru/better-call/blob/8b6f13e24fad7f4666a582601517bb3232d4f4af/src/router.ts#L124): ```js const processRequest = async (request: Request) => { const url = new URL(request.url); const path = config?.basePath ? url.pathname.split(config.basePath)[1] : url.pathname; ``` Since this library is largely coupled with `better-auth`, it becomes more clear why this can be dangerous with an example request: <img width="800" alt="image" src="https://github.com/user-attachments/assets/2ab7c4dd-0700-4f59-863f-79f2b5edbb37" /> ### Impact This is a cache deception vulnerability affecting `better-call` users with CDN caching enabled. which can expose sensitive data.

Metadata

Created: 2025-07-11T17:09:53Z
Modified: 2025-07-11T17:09:53Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-hq75-xg7r-rx6c/GHSA-hq75-xg7r-rx6c.json
CWE IDs: ["CWE-525"]
Alternative ID: N/A
Finding: F065
Auto approve: 1