CVE-2025-48370

Description

### Impact The library functions `getUserById`, `deleteUser`, `updateUserById`, `listFactors` and `deleteFactor` did not require the user supplied values to be valid UUIDs. This could lead to a URL path traversal, resulting in the wrong API function being called. Implementations that follow security best practice and validate user controlled inputs, such as the `userId` are not affected by this. ### Patches Strict value checks have been added to all affected functions. These functions now require that the `userId` and `factorId` parameters MUST be valid UUID (v4). **Patched version:** >= 2.69.1 ### Workarounds Implementations that follow security best practice and validate user controlled inputs, such as the `userId` are not affected by this. It is recommended that users of the auth-js library always follow security best practice and validate all inputs, before passing these to other functions or libraries. ### References https://github.com/supabase/auth-js/pull/1063

How to fix CVE-2025-48370

To remediate CVE-2025-48370, upgrade the affected package to a fixed version below.

• —upgrade to 2.70.0 or later

Is CVE-2025-48370 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 2.70.0

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-48370
• PATCHgithub.com/supabase/auth-js
• WEBgithub.com/supabase/auth-js/commit/1bcb76e479e51cd9bca2d7732d0bf3199e07a693
• WEBgithub.com/supabase/auth-js/pull/1063