GHSA-hq75-xg7r-rx6c

Suggest an improvement
Source
https://github.com/advisories/GHSA-hq75-xg7r-rx6c
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/07/GHSA-hq75-xg7r-rx6c/GHSA-hq75-xg7r-rx6c.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-hq75-xg7r-rx6c
Published
2025-07-11T17:09:53Z
Modified
2025-07-11T17:09:53Z
Severity
  • 4.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U CVSS Calculator
Summary
Better Call routing bug can lead to Cache Deception
Details

Summary

Using a CDN that caches (/**/*.png, /**/*.json, /**/*.css, etc...) requests, a cache deception can emerge. This could lead to unauthorized access to user sessions and personal data when cached responses are served to other users.

Details

The vulnerability occurs in the request processing logic where path sanitization is insufficient. The library splits the path using config.basePath but doesn't properly validate the remaining path components. This allows specially crafted requests that appear to be static assets (like /api/auth/get-session/api/auth/image.png assuming config.basePath=/api/auth) to bypass typical CDN cache exclusion rules while actually returning sensitive data.

The problematic code here:

    const processRequest = async (request: Request) => {
        const url = new URL(request.url);
        const path = config?.basePath ? url.pathname.split(config.basePath)[1] : url.pathname;

Since this library is largely coupled with better-auth, it becomes more clear why this can be dangerous with an example request:

<img width="800" alt="image" src="https://github.com/user-attachments/assets/2ab7c4dd-0700-4f59-863f-79f2b5edbb37" />

Impact

This is a cache deception vulnerability affecting better-call users with CDN caching enabled. which can expose sensitive data.

Database specific
{
    "nvd_published_at": null,
    "github_reviewed_at": "2025-07-11T17:09:53Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-525"
    ],
    "severity": "MODERATE"
}
References

Affected packages

npm / better-call

Package

Affected ranges

Type
SEMVER
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.0.12