Vulnerability Description
auth-js is an isomorphic Javascript library for Supabase Auth. Prior to version 2.70.0, the library functions getUserById, deleteUser, updateUserById, listFactors and deleteFactor did not require the user supplied values to be valid UUIDs. This could lead to a URL path traversal, resulting in the wrong API function being called. Implementations that follow security best practice and validate user controlled inputs, such as the userId are not affected by this. This issue has been patched in version 2.70.0.
Related Weaknesses (CWE)
References
- https://github.com/supabase/auth-js/commit/1bcb76e479e51cd9bca2d7732d0bf3199e07a
- https://github.com/supabase/auth-js/pull/1063
- https://github.com/supabase/auth-js/security/advisories/GHSA-8r88-6cj9-9fh5
FAQ
What is CVE-2025-48370?
CVE-2025-48370 is a documented vulnerability. auth-js is an isomorphic Javascript library for Supabase Auth. Prior to version 2.70.0, the library functions getUserById, deleteUser, updateUserById, listFactors and deleteFactor did not require the ...
How severe is CVE-2025-48370?
CVSS scoring is not yet available for CVE-2025-48370. Check NVD for updates.
Is there a patch for CVE-2025-48370?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.