Better Auth Passkey Plugin allows passkey deletion through IDOR
High severity
GitHub Reviewed
Published
Nov 24, 2025
in
better-auth/better-auth
•
Updated Nov 25, 2025
Description
Published to the GitHub Advisory Database
Nov 25, 2025
Reviewed
Nov 25, 2025
Last updated
Nov 25, 2025
Credits
-
goksan Reporter
Summary
Affected versions of the better-auth passkey plugin allow users with any valid session to delete arbitrary passkeys via their ID using
POST /passkey/delete-passkey.Details
ctx.body.idis implicitly trusted and used in passkey deletion queries.better-auth applications configured with
useNumberIdmay use auto incrementing IDs which makes it trivial to delete all passkeys via enumeration.References