Path Traversal Vulnerability in Supabase Auth JavaScript Library
CVE-2025-48370

2.7LOW

Key Information:

Vendor: Supabase
Status: Auth-js
Vendor: CVE Published:; 27 May 2025

What is CVE-2025-48370?

The Supabase Auth JavaScript library, specifically versions prior to 2.69.1, exposes multiple functions like getUserById and updateUserById that do not adequately validate user-supplied values, allowing attackers to potentially exploit this flaw for path traversal. This could result in unintended API calls, which threatens application integrity and security. Implementations that adhere to security best practices are not impacted. The issue has been corrected in version 2.69.1.

Affected Version(s)

auth-js < 2.69.1

References

https://github.com/supabase/auth-js/security/advisories/G...

x_refsource_CONFIRM

https://github.com/supabase/auth-js/pull/1063

x_refsource_MISC

CVSS V4

Score:

2.7

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2025
Vulnerability Reserved
May 19, 2025

CVE-2025-48370 Data

JSON