Improper Restriction of Excessive Authentication Attempts

Summary

Users are affected if all of the following are true: 1. Their app uses better-auth at a version prior to 1.4.17 or a v1.5 prerelease version prior to 1.5.0-beta.8. 2. The apps authentication endpoints serve clients reachable over IPv6. Most managed hosts including Cloudflare, Vercel, Fly.io, AWS Application Load Balancer, and Google Cloud Load Balancing advertise IPv6 by default. 3. The app's rate-limit configuration is enabled (the production default) and relies on the leftmost x-forwarded-for value (the stock setup) or any other configured IP-bearing header. If users are on 1.4.16 specifically, the `normalizeIP` helper exists in your version but the IPv6 prefix length defaults to `/128`. Stock config still permits prefix rotation because no prefix mask is applied. Either upgrade to 1.4.17 or set `advanced.ipAddress.ipv6Subnet: 64` in the config. If applications do not use the rate limiter, or if the deployment serves only IPv4 clients, the prefix-rotation vector does not apply. The representation-aliasing vector still applies to IPv6 addresses delivered over IPv4 transport in some edge cases (an upstream proxy carrying an IPv4-mapped IPv6 source), but it is rare in practice.