8.6

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-x732-6j76-qmhm

GHSA-x732-6j76-qmhm: Better Auth's rou3 Dependency has Double-Slash Path Normalization which can Bypass disabledPaths Config and Rate Limits

Summary

An issue in the underlying router library rou3 can cause /path and //path to be treated as identical routes. If your environment does not normalize incoming URLs (e.g., by collapsing multiple slashes), this can allow bypasses of disabledPaths and path-based rate limits.

Details

Better Auth uses better-call, which internally relies on rou3 for routing. Affected versions of rou3 normalize paths by removing empty segments. As a result:

/sign-in/email
//sign-in/email
///sign-in/email

…all resolve to the same route.

Some production setups automatically collapse multiple slashes. This includes:

Vercel with Nextjs (default)
Cloudflare - when normalize to urls origin is enabled (https://developers.cloudflare.com/rules/normalization/settings/#normalize-urls-to-origin)

In these environments and other configurations where //path reach Better Auth as /path, the issue does not apply.

Fix

Updating rou3 to the latest version resolves the issue:

better-call previously depended on "rou3": "^0.5.1"
The fix was introduced after that version (commit: https://github.com/h3js/rou3/commit/f60b43fa648399534507c9ac7db36d705b8874c3)

Better Auth recommends:

Upgrading to Better Auth v1.4.5 or later, which includes the updated rou3.
Ensuring the proxy normalizes URLs.
If project maintainers cannot upgrade yet, they can protect their app by normalizing url before it reaches better-auth handler. See example below:

const req = new Request(...) // this would be the actual request object
const url = new URL(req.url);
const normalizedPath = url.pathname.replace(/\/+/g, "/");

if (url.pathname !== normalizedPath) {
  url.pathname = normalizedPath;
  // Update the raw request pathname
  Object.defineProperty(req, "url", {
    value: url.toString(),
    writable: true,
    configurable: true,
  });
}

Impact

Bypass disabledPaths
Bypass path-based rate limits

The impact of bypassing disabled paths could vary based on a project's configuration.

(GitHub Advisory)

Miggo Vulnerability Database

→

GHSA-x732-6j76-qmhm

GHSA-x732-6j76-qmhm:

8.6

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
better-auth	npm	< 1.4.5	1.4.5

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists in a dependency of better-auth, specifically the rou3 routing library. The advisory points to a commit in the h3js/rou3 repository that fixes the issue. Analysis of this commit reveals that the splitPath function in src/operations/_utils.ts was modified. The previous implementation of this function would treat paths with multiple consecutive slashes (e.g., //some/path) as identical to paths with single slashes (e.g., /some/path). This path normalization flaw could be exploited to bypass security controls in better-auth that rely on path matching, such as the disabledPaths configuration and rate limiting. The patch alters the logic of splitPath to correctly handle and preserve empty path segments, thus ensuring that paths with multiple slashes are treated distinctly from their single-slashed counterparts, mitigating the bypass vulnerability.

Vulnerable functions

splitPath

src/operations/_utils.ts

The vulnerability lies in the `splitPath` function within the `rou3` library, a dependency of `better-auth`. The original implementation, `path.split("/").filter(Boolean)`, would normalize paths by removing empty segments created by multiple slashes. For example, both `/path` and `//path` would be resolved to the same route, `['path']`. This allowed for bypassing path-based security mechanisms like disabled paths and rate limiting by using double slashes in the URL.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

8.6

-

Basic Information

Basic Information

Concerned about an active attack path?

GHSA-x732-6j76-qmhm: Better Auth's rou3 Dependency has Double-Slash Path Normalization which can Bypass disabledPaths Config and Rate Limits

Summary

Details

Fix

Impact

GHSA-x732-6j76-qmhm:

8.6

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

8.6

8.6

Basic Information

Basic Information

GHSA-x732-6j76-qmhm: Better Auth's rou3 Dependency has Double-Slash Path Normalization which can Bypass disabledPaths Config and Rate Limits

Summary

Details

Fix

Impact

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI