CVE-2025-48370

描述

### Impact The library functions `getUserById`, `deleteUser`, `updateUserById`, `listFactors` and `deleteFactor` did not require the user supplied values to be valid UUIDs. This could lead to a URL path traversal, resulting in the wrong API function being called. Implementations that follow security best practice and validate user controlled inputs, such as the `userId` are not affected by this. ### Patches Strict value checks have been added to all affected functions. These functions now require that the `userId` and `factorId` parameters MUST be valid UUID (v4). **Patched version:** >= 2.69.1 ### Workarounds Implementations that follow security best practice and validate user controlled inputs, such as the `userId` are not affected by this. It is recommended that users of the auth-js library always follow security best practice and validate all inputs, before passing these to other functions or libraries. ### References https://github.com/supabase/auth-js/pull/1063

如何修補 CVE-2025-48370

要修補 CVE-2025-48370,請將受影響套件升級到下列已修補版本。

• —升級至 2.70.0 或更新版本

CVE-2025-48370 正在被利用嗎?

低 — EPSS 為 0.2%,目前沒有觀察到大規模利用活動。

受影響套件(1)

• from 0, < 2.70.0

CVSS 分數

參考連結(5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-48370
• PATCHgithub.com/supabase/auth-js
• WEBgithub.com/supabase/auth-js/commit/1bcb76e479e51cd9bca2d7732d0bf3199e07a693
• WEBgithub.com/supabase/auth-js/pull/1063
• WEB