GHSA-x732-6j76-qmhm: Better Auth's rou3 Dependency has Double-Slash Path Normalization which can Bypass disabledPaths Config and Rate Limits

December 16, 2025

An issue in the underlying router library rou3 can cause /path and //path to be treated as identical routes. If your environment does not normalize incoming URLs (e.g., by collapsing multiple slashes), this can allow bypasses of disabledPaths and path-based rate limits.

References

github.com/advisories/GHSA-x732-6j76-qmhm
github.com/better-auth/better-auth
github.com/better-auth/better-auth/security/advisories/GHSA-x732-6j76-qmhm

Code Behaviors & Features

Detect and mitigate GHSA-x732-6j76-qmhm with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →