Using a CDN that caches (/**/*.png
, /**/*.json
, /**/*.css
, etc...) requests, a cache deception can emerge. This could lead to unauthorized access to user sessions and personal data when cached responses are served to other users.
The vulnerability occurs in the request processing logic where path sanitization is insufficient. The library splits the path using config.basePath
but doesn't properly validate the remaining path components. This allows specially crafted requests that appear to be static assets (like /api/auth/get-session/api/auth/image.png
assuming config.basePath
=/api/auth
) to bypass typical CDN cache exclusion rules while actually returning sensitive data.
The problematic code here:
const processRequest = async (request: Request) => {
const url = new URL(request.url);
const path = config?.basePath ? url.pathname.split(config.basePath)[1] : url.pathname;
Since this library is largely coupled with better-auth
, it becomes more clear why this can be dangerous with an example request:
<img width="800" alt="image" src="https://github.com/user-attachments/assets/2ab7c4dd-0700-4f59-863f-79f2b5edbb37" />
This is a cache deception vulnerability affecting better-call
users with CDN caching enabled. which can expose sensitive data.
{ "nvd_published_at": null, "github_reviewed_at": "2025-07-11T17:09:53Z", "github_reviewed": true, "cwe_ids": [ "CWE-525" ], "severity": "MODERATE" }