CVE-2025-48370

UNKNOWN 0.0

auth-js Vulnerable to Insecure Path Routing from Malformed User Input

CVSS Score

0.0

EPSS Score

0.2%

EPSS Percentile

44th

auth-js is an isomorphic Javascript library for Supabase Auth. Prior to version 2.70.0, the library functions getUserById, deleteUser, updateUserById, listFactors and deleteFactor did not require the user supplied values to be valid UUIDs. This could lead to a URL path traversal, resulting in the wrong API function being called. Implementations that follow security best practice and validate user controlled inputs, such as the userId are not affected by this. This issue has been patched in version 2.70.0.

CWE	CWE-287 CWE-22
Vendor	supabase
Product	auth-js
Published	May 27, 2025
Last Updated	Apr 27, 2026

Stay Ahead of the Next One

Get instant alerts for supabase auth-js

Be the first to know when new unknown vulnerabilities affecting supabase auth-js are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

supabase / auth-js

< 2.70.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/supabase/auth-js/security/advisories/GHSA-8r88-6cj9-9fh5 github.com: https://github.com/supabase/auth-js/pull/1063 github.com: https://github.com/supabase/auth-js/commit/1bcb76e479e51cd9bca2d7732d0bf3199e07a693