Kos0Ng

**Name of the Vulnerable Software and Affected Versions** auth-js versions prior to 2.69.1 **Description** The issue concerns the auth-js library, an isomorphic Javascript library for Supabase Auth. Prior to version 2.69.1, certain library functions such as `getUserById`, `deleteUser`, `updateUserById`, `listFactors`, and `deleteFactor` did not validate user-supplied values as valid UUIDs. This could lead to a URL path traversal, resulting in the wrong API function being called. However, implementations that follow security best practices and validate user-controlled inputs, such as the `userId`, are not affected by this issue. **Recommendations** For versions prior to 2.69.1, update to version 2.69.1 to resolve the issue. As a temporary workaround, consider validating user-controlled inputs, such as the `userId`, to ensure they are valid UUIDs before passing them to the affected library functions. Restrict access to the vulnerable functions until the update can be applied.