Description

auth-js is an isomorphic Javascript library for Supabase Auth. Prior to version 2.70.0, the library functions getUserById, deleteUser, updateUserById, listFactors and deleteFactor did not require the user supplied values to be valid UUIDs. This could lead to a URL path traversal, resulting in the wrong API function being called. Implementations that follow security best practice and validate user controlled inputs, such as the userId are not affected by this. This issue has been patched in version 2.70.0.

INFO

Published Date :

2025-05-27T15:27:00.864Z

Last Modified :

2026-04-27T21:11:41.238Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-48370 vulnerability.

No data.

REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-48370.

URL Resource
https://github.com/supabase/auth-js/commit/1bcb76e479e51cd9bca2d7732d0bf3199e07a693 cve-icon cve-icon
https://github.com/supabase/auth-js/pull/1063 cve-icon cve-icon
https://github.com/supabase/auth-js/security/advisories/GHSA-8r88-6cj9-9fh5 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability