GHSA-569q-mpph-wgww: Better Auth affected by external request basePath modification DoS

December 1, 2025

Affected versions of Better Auth allow an external request to configure baseURL when it isn’t defined through any other means. This can be abused to poison the router’s base path, causing all routes to return 404 for all users.

This issue is only exploitable when baseURL is not explicitly configured (e.g., BETTER_AUTH_URL is missing) and the attacker is able to make the very first request to the server after startup. In properly configured environments or typical managed hosting platforms, this fallback behavior cannot be reached.

References

github.com/advisories/GHSA-569q-mpph-wgww
github.com/better-auth/better-auth
github.com/better-auth/better-auth/releases/tag/v1.4.2
github.com/better-auth/better-auth/security/advisories/GHSA-569q-mpph-wgww
github.com/ray-project/ray/commit/70e7c72780bdec075dba6cad1afe0832772bfe09

Code Behaviors & Features

Detect and mitigate GHSA-569q-mpph-wgww with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →