CVE-2025-48370

ADVISORY - github

Summary

Impact

The library functions getUserById, deleteUser, updateUserById, listFactors and deleteFactor did not require the user supplied values to be valid UUIDs. This could lead to a URL path traversal, resulting in the wrong API function being called.

Implementations that follow security best practice and validate user controlled inputs, such as the userId are not affected by this.

Patches

Strict value checks have been added to all affected functions. These functions now require that the userId and factorId parameters MUST be valid UUID (v4).

Patched version: >= 2.69.1

Workarounds

Implementations that follow security best practice and validate user controlled inputs, such as the userId are not affected by this. It is recommended that users of the auth-js library always follow security best practice and validate all inputs, before passing these to other functions or libraries.

References

https://github.com/supabase/auth-js/pull/1063

EPSS Score⁠: 0.00066 (0.204)

Common Weakness Enumeration (CWE)

ADVISORY - nist

NIST

CREATED

9 months ago

UPDATED

9 months ago

ADVISORY IDCVE-2025-48370⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)

CWE-22⁠CWE-287⁠

CVSS SCORE

2.7low

GitHub

CREATED

9 months ago

UPDATED

9 months ago

ADVISORY IDGHSA-8r88-6cj9-9fh5⁠

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)

CWE-22⁠

CVSS SCORE

1.3low

GitLab

CREATED

9 months ago

UPDATED

9 months ago

ADVISORY ID

CVE-2025-48370

EXPLOITABILITY SCORE

EXPLOITS FOUND

COMMON WEAKNESS ENUMERATION (CWE)

CWE-1035⁠CWE-22⁠CWE-937⁠

CVSS SCORE

N/Aunspecified

CVE-2025-48370

Summary

Impact

Patches

Workarounds

References

Common Weakness Enumeration (CWE)

CWE-22⁠

CWE-287⁠

CWE-22⁠

CWE-1035⁠

CWE-22⁠

CWE-937⁠

Advisories

NIST

CVSS SCORE

GitHub

CVSS SCORE

GitLab

CVSS SCORE