HIGH
better-auth
CVE published 2026-05-28
CVE-2026-45364
Better Auth's HTTP rate limiter prior to versions 1.4.17 and 1.5.0-beta.9 used raw textual IP addresses from x-forwarded-for (or configured IP-bearing headers) as rate-limiting keys without normalization. This allowed IPv6 clients with a /64 allocation to rotate through 2^64 distinct addresses, bypassing per-address rate limits on authentication endpoints including /sign-in/email, /sign-up/email, and /for [truncated]