CVE-2025-48370

Name of the Vulnerable Software and Affected Versions auth-js versions prior to 2.69.1

Description The issue concerns the auth-js library, an isomorphic Javascript library for Supabase Auth. Prior to version 2.69.1, certain library functions such as getUserById, deleteUser, updateUserById, listFactors, and deleteFactor did not validate user-supplied values as valid UUIDs. This could lead to a URL path traversal, resulting in the wrong API function being called. However, implementations that follow security best practices and validate user-controlled inputs, such as the userId, are not affected by this issue.

Recommendations For versions prior to 2.69.1, update to version 2.69.1 to resolve the issue. As a temporary workaround, consider validating user-controlled inputs, such as the userId, to ensure they are valid UUIDs before passing them to the affected library functions. Restrict access to the vulnerable functions until the update can be applied.