ByteOS Network

NVD Vulnerability Details :

CVE-2025-48370

Awaiting Analysis

Source-security-advisories@github.com

Published At-27 May, 2025 | 16:15

Updated At-28 May, 2025 | 15:01

auth-js is an isomorphic Javascript library for Supabase Auth. Prior to version 2.69.1, the library functions getUserById, deleteUser, updateUserById, listFactors and deleteFactor did not require the user supplied values to be valid UUIDs. This could lead to a URL path traversal, resulting in the wrong API function being called. Implementations that follow security best practice and validate user controlled inputs, such as the userId are not affected by this. This issue has been patched in version 2.69.1.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Secondary	4.0	2.7	LOW	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Weaknesses

CWE ID	Type	Source
CWE-22	Primary	security-advisories@github.com
CWE-287	Primary	security-advisories@github.com

References

Hyperlink	Source	Resource
https://github.com/supabase/auth-js/pull/1063	security-advisories@github.com	N/A
https://github.com/supabase/auth-js/security/advisories/GHSA-8r88-6cj9-9fh5	security-advisories@github.com	N/A

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History