Better Auth authentication library for TypeScript contains a vulnerability in its HTTP rate limiter that allows IPv6 clients to bypass rate limiting protections. The flaw occurs because the rate limiter keys requests by exact textual IP addresses from x-forwarded-for headers. Attackers with IPv6 /64 allocations can rotate through 2^64 distinct addresses to defeat rate limiting on authentication endpoints including sign-in, sign-up, and password reset paths. The vulnerability also allows encoding variations of the same IPv6 address to create multiple distinct keys. This affects all rate-limited endpoints and is fixed in versions 1.4.17 and 1.5.0-beta.9.