Description
auth-js is an isomorphic Javascript library for Supabase Auth. Prior to version 2.70.0, the library functions getUserById, deleteUser, updateUserById, listFactors and deleteFactor did not require the user supplied values to be valid UUIDs. This could lead to a URL path traversal, resulting in the wrong API function being called. Implementations that follow security best practice and validate user controlled inputs, such as the userId are not affected by this. This issue has been patched in version 2.70.0.
Published: 2025-05-27
Score: 2.7 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The library exposed getUserById, deleteUser, updateUserById, listFactors, and deleteFactor endpoints that did not enforce that supplied identifiers were valid UUIDs. An attacker could supply malformed or crafted identifiers that triggered URL path traversal, causing the library to call an unintended API function. This flaw, tied to CWE-22 (Path Traversal) and CWE-287 (Improper Authentication), enables unauthorized access to API operations that the attacker should not perform, potentially leading to privilege escalation or data exposure.

Affected Systems

Supabase's auth-js JavaScript library, used in both client and server environments, is affected in all releases before 2.70.0. Implementations that validate the userId or other parameters before calling the library are not impacted. The vulnerability was fixed in auth‑js version 2.70.0 and later.

Risk and Exploitability

The CVSS score of 2.7 classifies this vulnerability as low severity, and the EPSS score of <1% indicates an extremely low probability of exploitation. Based on the description, the most likely attack vector involves an attacker sending crafted requests with malformed identifiers to a client or server that uses the vulnerable version of auth‑js. Because the flaw depends on malformed user input, such requests may trigger unintended API functions. The risk is mitigated in environments that enforce strict UUID validation or have applied the patch, and there is no evidence that this vulnerability appears in the CISA KEV catalog.

Generated by OpenCVE AI on May 2, 2026 at 01:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to auth-js 2.70.0 or later.
  • Implement strict UUID validation for all values passed to getUserById, deleteUser, updateUserById, listFactors, and deleteFactor.
  • Enforce input validation on user-generated IDs in client applications before invoking auth-js functions.

Generated by OpenCVE AI on May 2, 2026 at 01:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-16354 auth-js is an isomorphic Javascript library for Supabase Auth. Prior to version 2.69.1, the library functions getUserById, deleteUser, updateUserById, listFactors and deleteFactor did not require the user supplied values to be valid UUIDs. This could lead to a URL path traversal, resulting in the wrong API function being called. Implementations that follow security best practice and validate user controlled inputs, such as the userId are not affected by this. This issue has been patched in version 2.69.1.
Github GHSA Github GHSA GHSA-8r88-6cj9-9fh5 auth-js Vulnerable to Insecure Path Routing from Malformed User Input
History

Mon, 27 Apr 2026 21:45:00 +0000

Type Values Removed Values Added
Description auth-js is an isomorphic Javascript library for Supabase Auth. Prior to version 2.69.1, the library functions getUserById, deleteUser, updateUserById, listFactors and deleteFactor did not require the user supplied values to be valid UUIDs. This could lead to a URL path traversal, resulting in the wrong API function being called. Implementations that follow security best practice and validate user controlled inputs, such as the userId are not affected by this. This issue has been patched in version 2.69.1. auth-js is an isomorphic Javascript library for Supabase Auth. Prior to version 2.70.0, the library functions getUserById, deleteUser, updateUserById, listFactors and deleteFactor did not require the user supplied values to be valid UUIDs. This could lead to a URL path traversal, resulting in the wrong API function being called. Implementations that follow security best practice and validate user controlled inputs, such as the userId are not affected by this. This issue has been patched in version 2.70.0.
References

Tue, 27 May 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 27 May 2025 15:30:00 +0000

Type Values Removed Values Added
Description auth-js is an isomorphic Javascript library for Supabase Auth. Prior to version 2.69.1, the library functions getUserById, deleteUser, updateUserById, listFactors and deleteFactor did not require the user supplied values to be valid UUIDs. This could lead to a URL path traversal, resulting in the wrong API function being called. Implementations that follow security best practice and validate user controlled inputs, such as the userId are not affected by this. This issue has been patched in version 2.69.1.
Title auth-js Vulnerable to Insecure Path Routing from Malformed User Input
Weaknesses CWE-22
CWE-287
References
Metrics cvssV4_0

{'score': 2.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-27T21:11:41.238Z

Reserved: 2025-05-19T15:46:00.395Z

Link: CVE-2025-48370

cve-icon Vulnrichment

Updated: 2025-05-27T15:37:14.802Z

cve-icon NVD

Status : Deferred

Published: 2025-05-27T16:15:32.880

Modified: 2026-04-27T22:16:17.410

Link: CVE-2025-48370

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-02T01:30:16Z

Weaknesses