7.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-4vcf-q4xf-f48m

EPSS Score

CWE

CWE-284

Published

11/25/2025

Updated

11/25/2025

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-4vcf-q4xf-f48m

GHSA-4vcf-q4xf-f48m: Better Auth Passkey Plugin allows passkey deletion through IDOR

Summary

Affected versions of the better-auth passkey plugin allow users with any valid session to delete arbitrary passkeys via their ID using POST /passkey/delete-passkey.

Details

ctx.body.id is implicitly trusted and used in passkey deletion queries.

better-auth applications configured with useNumberId may use auto incrementing IDs which makes it trivial to delete all passkeys via enumeration.

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-4vcf-q4xf-f48m

GHSA-4vcf-q4xf-f48m:

7.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

GHSA ID

GHSA-4vcf-q4xf-f48m

EPSS Score

CWE

CWE-284

Published

11/25/2025

Updated

11/25/2025

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@better-auth/passkey	npm	< 1.4.0	1.4.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis of the provided security patch (commit 06d68239e) clearly indicates an authorization flaw in the passkey function located in packages/passkey/src/index.ts. The vulnerability is an Insecure Direct Object Reference (IDOR). The patch adds a crucial check to the passkey deletion logic. Previously, the code only used the passkey id from the request body to identify the passkey to be deleted. The fix introduces an additional condition to the database query, requiring the userId of the passkey to match the ID of the user in the current session. This ensures that a user can only delete their own passkeys. Therefore, the passkey function is identified as the vulnerable function, as it contained the flawed logic that processed the deletion request without proper authorization checks.

Vulnerable functions

passkey

packages/passkey/src/index.ts

The vulnerability lies within the 'passkey' function, specifically in the handler for the 'POST /passkey/delete-passkey' route. Before the patch, the database query to delete a passkey only used the 'id' provided in the request body (`ctx.body.id`). It did not check if the passkey belonged to the authenticated user making the request. This allowed any user with a valid session to delete any passkey in the system by simply knowing its ID, leading to an Insecure Direct Object Reference (IDOR) vulnerability. The patch fixes this by adding a condition to the query to also filter by the 'userId' from the user's session (`ctx.context.session.user.id`), ensuring users can only delete their own passkeys.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.1

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-4vcf-q4xf-f48m: Better Auth Passkey Plugin allows passkey deletion through IDOR

Summary

Details

GHSA-4vcf-q4xf-f48m:

7.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

7.1

7.1

GHSA-4vcf-q4xf-f48m: Better Auth Passkey Plugin allows passkey deletion through IDOR

Summary

Details

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI