GHSA-wmjr-v86c-m9jj: Better Auth's multi-session sign-out hook allows forged cookies to revoke arbitrary sessions

November 26, 2025 (updated December 9, 2025)

A vulnerability was identified in the multi-session plugin for Better Auth, specifically in the /sign-out after-hook. The hook trusts raw multi-session cookies and forwards the extracted values directly to internalAdapter.deleteSessions without verifying the cookie signature. Because cookie values are not validated with getSignedCookie (or any equivalent check), an attacker can supply a forged _multi-* cookie to trigger deletion of arbitrary session tokens.

References

github.com/advisories/GHSA-wmjr-v86c-m9jj
github.com/better-auth/better-auth
github.com/better-auth/better-auth/commit/cfc453a2a6eb02951f9a0a7c944064936e73eee8
github.com/better-auth/better-auth/releases/tag/v1.4.0
github.com/better-auth/better-auth/security/advisories/GHSA-wmjr-v86c-m9jj

Code Behaviors & Features

Detect and mitigate GHSA-wmjr-v86c-m9jj with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →