Skip to content

Commit 54274e0

Browse files
1 parent c5495a0 commit 54274e0

3 files changed

Lines changed: 226 additions & 0 deletions

File tree

Lines changed: 80 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,80 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-2vg6-77g8-24mp",
4+
"modified": "2026-07-07T20:56:45Z",
5+
"published": "2026-07-07T20:56:45Z",
6+
"aliases": [],
7+
"summary": "Better Auth: Stale sessions persist after user deletion across admin, anonymous, and SCIM flows",
8+
"details": "### Am I affected?\n\nUsers are affected if all of the following are true:\n\n- They configure `secondaryStorage` on `betterAuth(...)` (Redis, KV, or any external session cache).\n- `session.storeSessionInDatabase` is left unset or set to `false` (the default).\n- Their application's deployment uses one or more of:\n - The `admin` plugin and calls `auth.api.removeUser(...)` or `authClient.admin.removeUser(...)`.\n - The `anonymous` plugin and exposes `/delete-anonymous-user` or relies on the after-link hook to clean up the anonymous user.\n - The `@better-auth/scim` plugin and exposes `DELETE /scim/v2/Users/:userId`.\n\nIf `storeSessionInDatabase` is `true`, sessions are also written to the database, and the database delete cascades; users are not affected.\n\nFix:\n\n1. Upgrade to `better-auth@<patched-version>` or later (and `@better-auth/scim@<patched-version>` if they use SCIM).\n2. If they cannot upgrade, see workarounds below.\n\n### Summary\n\nWhen `secondaryStorage` is configured and `storeSessionInDatabase` is `false`, three user-deletion endpoints in `better-auth` plus one in `@better-auth/scim` call `internalAdapter.deleteUser(userId)` without first calling `internalAdapter.deleteSessions(userId)`. The deleted user's session payload (which carries a cached user object) remains in secondary storage, and `internalAdapter.findSession(token)` keeps returning it as a valid session until the session TTL elapses (default 7 days).\n\n### Details\n\nThe vulnerable call sites are:\n\n- `admin` plugin's `removeUser` (`packages/better-auth/src/plugins/admin/routes.ts:1463`).\n- `anonymous` plugin's self-delete endpoint (`packages/better-auth/src/plugins/anonymous/index.ts:222`).\n- `anonymous` plugin's after-link hook (`packages/better-auth/src/plugins/anonymous/index.ts:325`).\n- `@better-auth/scim`'s `DELETE /scim/v2/Users/:userId` (`packages/scim/src/routes.ts:1019`).\n\nWorking callers that already do the right thing: the core `/delete-user` self-delete and `/delete-user/callback` (`packages/better-auth/src/api/routes/update-user.ts:551`).\n\nThe fix shape extends each vulnerable caller to invoke `deleteSessions(userId)` before `deleteUser(userId)`. The architectural follow-up centralizes the cleanup inside `deleteUser` itself or introduces a single `deleteUserAndSessions` orchestrator so future callers cannot regress this contract.\n\n### Patches\n\nFixed in `better-auth@<patched-version>` and `@better-auth/scim@<patched-version>`. All four user-deletion call sites now invoke `deleteSessions(userId)` before `deleteUser(userId)` so sessions are evicted from secondary storage at the same time the user row is removed.\n\n### Workarounds\n\nIf users cannot upgrade immediately:\n\n- **Configuration-level**: set `session.storeSessionInDatabase: true`. Subsequent user-delete writes reach the session table and the database cascade removes rows. Increases write volume for high-throughput sessions but eliminates the gap.\n- **Code-level (admin path)**: when calling `auth.api.removeUser`, also call `auth.api.revokeUserSessions({ body: { userId } })`, which uses `deleteSessions` internally.\n- **Code-level (SCIM path)**: wrap their SCIM provider's deprovisioning hook to call `auth.api.revokeUserSessions(...)` after the SCIM DELETE.\n- **Code-level (anonymous path)**: in `onLinkAccount`, explicitly call `internalAdapter.deleteSessions(anonymousUser.user.id)` before allowing the new session to be issued.\n\n### Impact\n\n- **Stale session validity**: a deleted user's existing session cookie continues to authenticate against `getSessionFromCtx` until the session TTL elapses (default 7 days). Within that window, the deleted user retains their pre-existing read and write surface.\n- **SCIM-driven deprovisioning gap**: organizations using SCIM to revoke offboarded employees' access do not, in fact, revoke active sessions. The deleted account remains usable for up to 7 days after deprovisioning.\n\n### Credit\n\nReported by @iruizsalinas.\n\n### Resources\n\n- [CWE-613: Insufficient Session Expiration](https://cwe.mitre.org/data/definitions/613.html)\n- [CWE-672: Operation on a Resource after Expiration or Release](https://cwe.mitre.org/data/definitions/672.html)\n- [CWE-459: Incomplete Cleanup](https://cwe.mitre.org/data/definitions/459.html)",
9+
"severity": [
10+
{
11+
"type": "CVSS_V3",
12+
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N"
13+
}
14+
],
15+
"affected": [
16+
{
17+
"package": {
18+
"ecosystem": "npm",
19+
"name": "better-auth"
20+
},
21+
"ranges": [
22+
{
23+
"type": "ECOSYSTEM",
24+
"events": [
25+
{
26+
"introduced": "0.3.4"
27+
},
28+
{
29+
"fixed": "1.6.11"
30+
}
31+
]
32+
}
33+
]
34+
},
35+
{
36+
"package": {
37+
"ecosystem": "npm",
38+
"name": "@better-auth/scim"
39+
},
40+
"ranges": [
41+
{
42+
"type": "ECOSYSTEM",
43+
"events": [
44+
{
45+
"introduced": "1.6.0"
46+
},
47+
{
48+
"fixed": "1.6.11"
49+
}
50+
]
51+
}
52+
]
53+
}
54+
],
55+
"references": [
56+
{
57+
"type": "WEB",
58+
"url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-2vg6-77g8-24mp"
59+
},
60+
{
61+
"type": "PACKAGE",
62+
"url": "https://github.com/better-auth/better-auth"
63+
},
64+
{
65+
"type": "WEB",
66+
"url": "https://github.com/better-auth/better-auth/releases/tag/v1.6.11"
67+
}
68+
],
69+
"database_specific": {
70+
"cwe_ids": [
71+
"CWE-459",
72+
"CWE-613",
73+
"CWE-672"
74+
],
75+
"severity": "LOW",
76+
"github_reviewed": true,
77+
"github_reviewed_at": "2026-07-07T20:56:45Z",
78+
"nvd_published_at": null
79+
}
80+
}
Lines changed: 86 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,86 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-7w99-5wm4-3g79",
4+
"modified": "2026-07-07T20:56:35Z",
5+
"published": "2026-07-07T20:56:35Z",
6+
"aliases": [
7+
"CVE-2026-53518"
8+
],
9+
"summary": "@better-auth/oauth-provider's OAuth authorization-code grant allows concurrent redemption when two token requests race the find-then-delete primitive",
10+
"details": "### Am I affected?\n\nUsers are affected if all of the following are true:\n\n- Their project depends on `@better-auth/oauth-provider` at a version `>= 1.6.0, < 1.6.11`, or uses the embedded plugin in `better-auth >= 1.4.8-beta.7, < 1.6.0`, or enables the legacy `oidc-provider` or `mcp` plugins from `better-auth/plugins`.\n- Their application exposes `/api/auth/oauth2/token` (or the legacy plugins' `/oauth2/token` and `/mcp/token`) as a token endpoint to OAuth/OIDC clients, including internal MCP clients (Claude Desktop, custom MCP tool callers, AI agents).\n- Their application has not implemented an external mitigation: a load-balancer-level idempotency cache keyed by `code`, a database trigger that rejects duplicate token issuance for the same authorization code, or a custom adapter override that performs an atomic compare-and-delete.\n\nFix:\n\n1. Upgrade to `@better-auth/oauth-provider@1.6.11` or later. If developers use the legacy plugin paths from `better-auth/plugins`, upgrade `better-auth` to `1.6.11` or later.\n2. If developers cannot upgrade, see workarounds below.\n\n### Summary\n\nThe OAuth provider's `POST /oauth2/token` endpoint, on the `authorization_code` grant, redeems a single-use authorization code through a non-atomic find-then-delete sequence. Two concurrent requests with the same `code` value both pass the read step before either delete completes, then both proceed to PKCE verification and `createUserTokens`. Each surviving request mints a fresh access token, refresh token, and id token. RFC 6749 §4.1.2 requires authorization codes to be single-use; this primitive does not enforce that under concurrency.\n\n### Details\n\nThe same architectural primitive (find a single-use verification row, then delete it, then trust the row to authorize) is used in 20 other call sites across the codebase. The deletion primitive returns `Promise<void>`, discarding the row count surfaced by `adapter.deleteMany`, so no call site can detect \"another caller already claimed this row\". The fix lands at the primitive layer rather than at any individual call site.\n\nThe fix introduces a `claimVerificationByIdentifier` primitive at the internal-adapter layer that performs an atomic claim-and-return, replaces the find-then-delete pair at this call site, and migrates the highest-impact variant sites in the same release.\n\n### Patches\n\nFixed in `@better-auth/oauth-provider@1.6.11` and `better-auth@1.6.11` for the legacy `oidc-provider` and `mcp` plugin paths. All three token-exchange call sites now consume the verification row through `internalAdapter.consumeVerificationValue`, an atomic claim primitive that deletes the row and returns its prior value in one operation. The first request to arrive takes the row and mints tokens; concurrent racers observe an empty result and return `invalid_grant`.\n\nError-code consistency is also tightened on the `@better-auth/oauth-provider` token endpoint: the malformed-verification-value branches previously returned a project-specific `invalid_verification` code, which is not part of RFC 6749 §5.2's response error set. Both branches now return `invalid_grant` so spec-compliant clients can branch on the standard code without a special case.\n\n### Workarounds\n\nNone of these close the bug fully without a code patch. Upgrading is the only good path.\n\n- **Network-layer**: deploy an authorization-server-aware reverse proxy (Envoy, NGINX with Lua, custom Cloudflare Worker) that holds an in-flight registry keyed by the `code` parameter and serializes concurrent requests for the same code. Fragile under multi-instance deployments unless the registry is shared (Redis-backed).\n- **Database-layer**: add a SQL or Mongo uniqueness constraint that prevents two `oauthAccessToken` rows from being created with the same upstream code reference. Adapter-specific and not always feasible since the schema does not currently store the source code.\n- **Application-layer**: wrap `deleteVerificationByIdentifier` with a custom hook that uses `adapter.deleteMany` and surfaces the count, then injects an `invalid_grant` rejection when the count is zero. Requires forking the internal adapter.\n\n### Impact\n\n- **Multiple independent token sets from a single authorization**: forked access tokens, refresh tokens, and id tokens issued from the same code, all valid for the original user's authorization scope.\n- **Detection bypass**: standard OAuth single-use enforcement does not fire for the second redemption when both requests interleave through the read step.\n- **Legacy-plugin reach**: `oidc-provider` and `mcp` plugins share the primitive on the same surface, so deployments using them inherit the same impact.\n\n### Credit\n\nReported by @chdanielmueller.\n\n### Resources\n\n- [CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization (Race Condition)](https://cwe.mitre.org/data/definitions/362.html)\n- [CWE-367: Time-of-check Time-of-use (TOCTOU) Race Condition](https://cwe.mitre.org/data/definitions/367.html)\n- [CWE-294: Authentication Bypass by Capture-replay](https://cwe.mitre.org/data/definitions/294.html)\n- [RFC 6749 §4.1.2: Authorization Response](https://datatracker.ietf.org/doc/html/rfc6749#section-4.1.2)\n- [OAuth 2.1 §4.1: Authorization Code Grant](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-v2-1#section-4.1)",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"
15+
},
16+
{
17+
"type": "CVSS_V4",
18+
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"
19+
}
20+
],
21+
"affected": [
22+
{
23+
"package": {
24+
"ecosystem": "npm",
25+
"name": "@better-auth/oauth-provider"
26+
},
27+
"ranges": [
28+
{
29+
"type": "ECOSYSTEM",
30+
"events": [
31+
{
32+
"introduced": "1.6.0"
33+
},
34+
{
35+
"fixed": "1.6.11"
36+
}
37+
]
38+
}
39+
]
40+
},
41+
{
42+
"package": {
43+
"ecosystem": "npm",
44+
"name": "better-auth"
45+
},
46+
"ranges": [
47+
{
48+
"type": "ECOSYSTEM",
49+
"events": [
50+
{
51+
"introduced": "0"
52+
},
53+
{
54+
"fixed": "1.6.11"
55+
}
56+
]
57+
}
58+
]
59+
}
60+
],
61+
"references": [
62+
{
63+
"type": "WEB",
64+
"url": "https://github.com/better-auth/better-auth/security/advisories/GHSA-7w99-5wm4-3g79"
65+
},
66+
{
67+
"type": "PACKAGE",
68+
"url": "https://github.com/better-auth/better-auth"
69+
},
70+
{
71+
"type": "WEB",
72+
"url": "https://github.com/better-auth/better-auth/releases/tag/v1.6.11"
73+
}
74+
],
75+
"database_specific": {
76+
"cwe_ids": [
77+
"CWE-294",
78+
"CWE-362",
79+
"CWE-367"
80+
],
81+
"severity": "HIGH",
82+
"github_reviewed": true,
83+
"github_reviewed_at": "2026-07-07T20:56:35Z",
84+
"nvd_published_at": null
85+
}
86+
}

0 commit comments

Comments
 (0)