CVE-2025-48370

auth-js is an isomorphic Javascript library for Supabase Auth. Prior to version 2.69.1, the library functions getUserById, deleteUser, updateUserById, listFactors and deleteFactor did not require the user supplied values to be valid UUIDs. This could lead to a URL path traversal, resulting in the wrong API function being called. Implementations that follow security best practice and validate user controlled inputs, such as the userId are not affected by this. This issue has been patched in version 2.69.1.

CVSS

No CVSS.

References

Link	Resource
https://github.com/supabase/auth-js/pull/1063
https://github.com/supabase/auth-js/security/advisories/GHSA-8r88-6cj9-9fh5

Configurations

No configuration.

History

No history.

Information

Published : 2025-05-27 16:15

Updated : 2025-05-28 15:01

NVD link : CVE-2025-48370

Mitre link : CVE-2025-48370

CVE.ORG link : CVE-2025-48370

JSON object : View

Products Affected

No product.

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-287

Improper Authentication

{"id": "CVE-2025-48370", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "[email protected]", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 2.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "UNREPORTED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2025-05-27T16:15:32.880", "references": [{"url": "https://github.com/supabase/auth-js/pull/1063", "source": "[email protected]"}, {"url": "https://github.com/supabase/auth-js/security/advisories/GHSA-8r88-6cj9-9fh5", "source": "[email protected]"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "[email protected]", "description": [{"lang": "en", "value": "CWE-22"}, {"lang": "en", "value": "CWE-287"}]}], "descriptions": [{"lang": "en", "value": "auth-js is an isomorphic Javascript library for Supabase Auth. Prior to version 2.69.1, the library functions getUserById, deleteUser, updateUserById, listFactors and deleteFactor did not require the user supplied values to be valid UUIDs. This could lead to a URL path traversal, resulting in the wrong API function being called. Implementations that follow security best practice and validate user controlled inputs, such as the userId are not affected by this. This issue has been patched in version 2.69.1."}, {"lang": "es", "value": "auth-js es una librer\u00eda de Javascript isom\u00f3rfica para Supabase Auth. Antes de la versi\u00f3n 2.69.1, las funciones de la librer\u00eda getUserById, deleteUser, updateUserById, listFactors y deleteFactor no requer\u00edan que los valores proporcionados por el usuario fueran UUID v\u00e1lidos. Esto pod\u00eda provocar un recorrido de la URL, lo que resultaba en la llamada a una funci\u00f3n de API incorrecta. Las implementaciones que siguen las mejores pr\u00e1cticas de seguridad y validan las entradas controladas por el usuario, como el ID de usuario, no se ven afectadas. Este problema se ha corregido en la versi\u00f3n 2.69.1."}], "lastModified": "2025-05-28T15:01:30.720", "sourceIdentifier": "[email protected]"}