[GH-ISSUE #3991] Version 1.3.0 introduced a memory leak with customSession plugin #9789

Closed
opened 2026-04-13 05:30:03 -05:00 by GiteaMirror · 2 comments
Owner

Originally created by @tehnrd on GitHub (Aug 14, 2025).
Original GitHub issue: https://github.com/better-auth/better-auth/issues/3991

Is this suited for github?

  • Yes, this is suited for github

To Reproduce

This repo has full steps and code to reproduce: https://github.com/tehnrd/better-auth-mem-leak

Current vs. Expected behavior

Memory continues to grow and grow. Memory should not continue to grow.

What version of Better Auth are you using?

1.3.6

System info

System:
    OS: macOS 15.5
    CPU: (10) arm64 Apple M1 Pro
    Memory: 555.61 MB / 32.00 GB
    Shell: 5.9 - /bin/zsh
  Browsers:
    Chrome: 139.0.7258.68
    Safari: 18.5

Which area(s) are affected? (Select all that apply)

Backend

Auth config (if applicable)

import { svelteKitHandler } from 'better-auth/svelte-kit';
import { building } from '$app/environment';
import { betterAuth } from 'better-auth';
import { customSession } from 'better-auth/plugins';
import type { User, Session } from 'better-auth/types';

export const auth = betterAuth({
	plugins: [
		customSession(async ({ user, session }: { user: User; session: Session }) => {
			return {
				user: {
					...user,
					newField: 'newField'
				},
				session
			};
		})
	]
});

Additional context

Image

Based on inspecting the memory dumps and the items being retained, this might be related to zod, but I haven't had the capacity to do a deep dive on it.

Originally created by @tehnrd on GitHub (Aug 14, 2025). Original GitHub issue: https://github.com/better-auth/better-auth/issues/3991 ### Is this suited for github? - [x] Yes, this is suited for github ### To Reproduce This repo has full steps and code to reproduce: https://github.com/tehnrd/better-auth-mem-leak ### Current vs. Expected behavior Memory continues to grow and grow. Memory should not continue to grow. ### What version of Better Auth are you using? 1.3.6 ### System info ```bash System: OS: macOS 15.5 CPU: (10) arm64 Apple M1 Pro Memory: 555.61 MB / 32.00 GB Shell: 5.9 - /bin/zsh Browsers: Chrome: 139.0.7258.68 Safari: 18.5 ``` ### Which area(s) are affected? (Select all that apply) Backend ### Auth config (if applicable) ```typescript import { svelteKitHandler } from 'better-auth/svelte-kit'; import { building } from '$app/environment'; import { betterAuth } from 'better-auth'; import { customSession } from 'better-auth/plugins'; import type { User, Session } from 'better-auth/types'; export const auth = betterAuth({ plugins: [ customSession(async ({ user, session }: { user: User; session: Session }) => { return { user: { ...user, newField: 'newField' }, session }; }) ] }); ``` ### Additional context <img width="835" height="360" alt="Image" src="https://github.com/user-attachments/assets/e38c3810-8a91-4f54-bcc5-9a2b23e45016" /> Based on inspecting the memory dumps and the items being retained, this might be related to zod, but I haven't had the capacity to do a deep dive on it.
GiteaMirror added the lockedbug labels 2026-04-13 05:30:03 -05:00
Author
Owner

@dosubot[bot] commented on GitHub (Aug 14, 2025):

Hi @tehnrd! I'm Dosu and I’m helping the better-auth team.

There is no existing documentation or resolved issue about a memory leak with customSession or zod, but your report is consistent with a real problem introduced after v1.3.0. The customSession plugin uses zod for query validation and calls your transformer function on every request. If zod schemas or closures over request/session data are inadvertently retained across requests—such as by being stored globally or in plugin state—this can cause memory to grow over time, especially under high load or repeated requests. This risk is present if schemas or functions are not properly scoped or are recreated per request, which can lead to leaks if they capture large objects or references in a chain cite.

There are open pull requests related to customSession and session handling, but none directly mention or resolve a memory leak cite cite. No workaround is documented, but reviewing your plugin usage to ensure no persistent references are held and monitoring for updates to these PRs may help. If you can, try reverting to v1.2.12 as a temporary mitigation while the issue is investigated.

To reply, just mention @dosu.


How did I do? Good | Irrelevant | Incorrect | Verbose | Hallucination | Report 🐛 | Other  Chat with Dosu Join Discord Share on X

<!-- gh-comment-id:3186795403 --> @dosubot[bot] commented on GitHub (Aug 14, 2025): <!-- Greeting --> Hi @tehnrd! I'm [Dosu](https://go.dosu.dev/dosubot) and I’m helping the better-auth team. <!-- Answer --> There is no existing documentation or resolved issue about a memory leak with customSession or zod, but your report is consistent with a real problem introduced after v1.3.0. The customSession plugin uses zod for query validation and calls your transformer function on every request. If zod schemas or closures over request/session data are inadvertently retained across requests—such as by being stored globally or in plugin state—this can cause memory to grow over time, especially under high load or repeated requests. This risk is present if schemas or functions are not properly scoped or are recreated per request, which can lead to leaks if they capture large objects or references in a chain [cite](https://github.com/better-auth/better-auth/blob/1cbea683d8f8ce7b17f60f355ecc99697919b216/packages/better-auth/src/plugins/custom-session/index.ts). There are open pull requests related to customSession and session handling, but none directly mention or resolve a memory leak [cite](https://github.com/better-auth/better-auth/pull/3156) [cite](https://github.com/better-auth/better-auth/pull/3868). No workaround is documented, but reviewing your plugin usage to ensure no persistent references are held and monitoring for updates to these PRs may help. If you can, try reverting to v1.2.12 as a temporary mitigation while the issue is investigated. <!-- Dosu Comment Footer --> *To reply, just mention [@dosu](https://go.dosu.dev/dosubot).* --- <sup>How did I do? [Good](https://app.dosu.dev/response-feedback/21e7cf89-60f6-42da-9337-71275e4364d4?feedback_type=great_response) | [Irrelevant](https://app.dosu.dev/response-feedback/21e7cf89-60f6-42da-9337-71275e4364d4?feedback_type=irrelevant_answer) | [Incorrect](https://app.dosu.dev/response-feedback/21e7cf89-60f6-42da-9337-71275e4364d4?feedback_type=incorrect_sources) | [Verbose](https://app.dosu.dev/response-feedback/21e7cf89-60f6-42da-9337-71275e4364d4?feedback_type=too_verbose) | [Hallucination](https://app.dosu.dev/response-feedback/21e7cf89-60f6-42da-9337-71275e4364d4?feedback_type=hallucination) | [Report 🐛](https://app.dosu.dev/response-feedback/21e7cf89-60f6-42da-9337-71275e4364d4?feedback_type=bug_report) | [Other](https://app.dosu.dev/response-feedback/21e7cf89-60f6-42da-9337-71275e4364d4?feedback_type=other)</sup>&nbsp;&nbsp;[![Chat with Dosu](https://dosu.dev/dosu-chat-badge.svg)](https://app.dosu.dev/cdda13d9-dd27-4d31-b09a-5d8bec92de21/ask?utm_source=github)&nbsp;[![Join Discord](https://img.shields.io/badge/join-5865F2?logo=discord&logoColor=white&label=)](https://go.dosu.dev/discord-bot)&nbsp;[![Share on X](https://img.shields.io/badge/X-share-black)](https://twitter.com/intent/tweet?text=%40dosu_ai%20helped%20me%20solve%20this%20issue!&url=https%3A//github.com/better-auth/better-auth/issues/3991)
Author
Owner

@tehnrd commented on GitHub (Aug 15, 2025):

A PR as been submitted to fix this issue: https://github.com/better-auth/better-auth/pull/4020

Would love to see this prioritized as it is causing app performance and cost increases.

<!-- gh-comment-id:3190352478 --> @tehnrd commented on GitHub (Aug 15, 2025): A PR as been submitted to fix this issue: https://github.com/better-auth/better-auth/pull/4020 Would love to see this prioritized as it is causing app performance and cost increases.
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/better-auth#9789