Critical Account Takeover via Unauthenticated API Key Creati...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://zeropath.com/blog/breaking-authentication-unauthenticated-api-key-creation-in-better-auth-cve-2025-61928
• Blog Title: Critical Account Takeover via Unauthenticated API Key Creation in better-auth (CVE-2025-61928)
• Suggested Section: Web/API Pentesting -> Authentication/Authorization Bypass -> Logic Flaws (trusting client-controlled identity/userId in body)

🎯 Content Summary

What: Critical authn/authz logic flaw in better-auth’s API keys plugin lets unauthenticated clients mint or modify API keys for arbitrary users (CVE-2025-61928, advisory GHSA-99h5-pjcv-gr6v). Affects all versions that include the plugin up to 1.3.25; fixed in 1.3.26. Library has ~300,000 weekly npm downloads and is used by organizations including Equinor.

Where: API keys plugin routes:
- /api/auth/api-key/create<...

🔧 Technical Details

Body-controlled identity to bypass auth: Treating the presence of userId in the request body as a reason to disable auth (authRequired = ... && !ctx.body.userId) lets attackers forge user = { id: ctx.body.userId } without a session, binding operations to arbitrary accounts via a single unauthenticated POST.

Privilege shaping through server-only fields: Once in the unauthenticated branch, server-side guards don’t run; attackers can directly set permissions, rateLimitMax, refillAmount, and remaining to grant expansive capabilities to newly minted keys.

Logic reuse across routes: Reusing the same flawed authRequired predicate in both create and update routes generalizes the technique to key modification, not just creation, broadening abuse from initial compromise to persistent capability escalation.

🤖 Agent Actions

I analyzed the blog and repository, explored existing relevant content, and updated HackTricks accordingly.

What I looked for in HackTricks

• Reviewed these pages to find the right home for “authn/authz logic flaw by trusting client-controlled userId in the body”:
  • src/pentesting-web/idor.md
  • src/pentesting-web/web-vulnerabilities-methodology.md
  • src/pentesting-web/login-bypass/README.md
  • src/pentesting-web/hacking-with-cookies/README.md
  • src/pentesting-web/parameter-pollution.md
  • src/network-services-pentesting/pentesting-web/nextjs.md

Decision

• This issue is a pre-authentication logic flaw that bypasses authentication and lets an unauthenticated attacker mint/modify API keys for arbitrary users by forging identity from the request body.
• The most appropriate place to document a technique for bypassing authentication due to flawed logic is src/pentesting-web/login-bypass/README.md (rather than creating a new file or misplacing it under generic sections).
• I added a specific subsection to catalog this pattern, including PoCs, hunting tips, detection/forensics, and mitigations. I also added a References section at the end with the blog and relevant links, per guidelines.

Changes made

• File updated: src/pentesting-web/login-bypass/README.md
• Additions:
  • New section: “Body-controlled identity (userId in body) → Pre-auth account/key takeover”
    • Root cause pattern and why it’s broken
    • Real-world case (better-auth API keys plugin) with affected routes
    • Minimal and privilege-shaped PoCs (curl)
    • Hunting tips for code review/SAST (smells around building identity from body)
    • Detection/forensics and mitigations
  • Added “## References” to the end of the file with:
    • ZeroPath blog post
    • NPM package
    • GHSA advisory
    • Plugin intro PR
• Verified the final training banner include remains at the very end.

Technical highlights added

• Canonical flawed predicate pattern:
  const authRequired = (ctx.request || ctx.headers) && !ctx.body.userId;
  const user = session?.user ?? (authRequired ? null : { id: ctx.body.userId });
• Clear exploitation flow for unauthenticated POST to /api/auth/api-key/create
• Privilege shaping via server-only fields: permissions, rateLimitMax, refillAmount, remaining
• Guidance to grep for handlers deriving identity from body.userId to populate req.user/ctx.user and short-circuit auth

References used

• https://zeropath.com/blog/breaking-authentication-unauthenticated-api-key-creation-in-better-auth-cve-2025-61928
• GHSA-99h5-pjcv-gr6v
• https://www.npmjs.com/package/better-auth
• Feat: API Key plugin (rework) better-auth/better-auth#1515

No new file was needed; the update integrates with existing structure and style.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://zeropath.com/blog/breaking-authentication-unauthenticated-api-key-creation-in-better-auth-cve-2025-61928

Content Categories: Based on the analysis, this content was categorized under "Web/API Pentesting -> Authentication/Authorization Bypass -> Logic Flaws (trusting client-controlled identity/userId in body)".

Repository Maintenance:

• MD Files Formatting: 901 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0