Description
auth-js is an isomorphic Javascript library for Supabase Auth. Prior to version 2.70.0, the library functions getUserById, deleteUser, updateUserById, listFactors and deleteFactor did not require the user supplied values to be valid UUIDs. This could lead to a URL path traversal, resulting in the wrong API function being called. Implementations that follow security best practice and validate user controlled inputs, such as the userId are not affected by this. This issue has been patched in version 2.70.0.
References (3)
Core 3
Core References
Vendor Advisory x_refsource_confirm
https://github.com/supabase/auth-js/security/advisories/GHSA-8r88-6cj9-9fh5
Issue Tracking x_refsource_misc
https://github.com/supabase/auth-js/pull/1063
X_Refsource_Misc x_refsource_misc
https://github.com/supabase/auth-js/commit/1bcb76e479e51cd9bca2d7732d0bf3199e07a693
Scores
CVSS v4
2.7
EPSS
0.0020
EPSS Percentile
41.9%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-22
CWE-287
Status
published
Products (3)
supabase/auth-js
0 - 2.69.1npm
supabase/auth-js
< 2.69.1
supabase/auth-js
< 2.70.0
Published
May 27, 2025
Tracked Since
Feb 18, 2026