Better Auth HTTP Rate Limiting Vulnerability Allows Bypass via IPv6 Address Rotation

A vulnerability in Better Auth's authentication and authorization library for TypeScript, specifically in versions prior to 1.4.17 and 1.5.0-beta.9, allows for bypassing HTTP rate limits on authentication-related endpoints. The issue arises because the rate limiter keys requests based on the exact IP address received in the 'x-forwarded-for' header. This approach is vulnerable to exploitation by IPv6 clients, which can rotate through a vast number of addresses without exhausting the rate limit counter. Additionally, the vulnerability allows for manipulation of the IP address representation, creating further discrepancies in rate limit enforcement.

Impact

Exploitation of this vulnerability removes rate limits on authentication attempts via email, potentially leading to credential stuffing and brute-force attacks. It also allows for faster account enumeration and can amplify password reset and email verification processes.

Reproduction

The vulnerability can be reproduced by sending requests to the affected authentication endpoints while varying the IPv6 address representations. This can be done by using different encodings of the same IPv6 address or by rotating through multiple addresses within a /64 subnet allocation.

Remediation

Users can upgrade to Better Auth versions 1.4.17 or 1.5.0-beta.9, both of which include the necessary fix. If an upgrade is not possible, users on version 1.4.16 can set 'advanced.ipAddress.ipv6Subnet' to 64 in their configuration to restore the intended rate limit behavior. For versions prior to 1.4.16, the recommendation is to adjust the rate limit settings on the CDN, WAF, or load balancer to apply a /64 prefix limit, or to manually tighten the rate limit windows for the sign-in, sign-up, and password reset endpoints.