{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-21T12:08:53.758","vulnerabilities":[{"cve":{"id":"CVE-2025-48370","sourceIdentifier":"security-advisories@github.com","published":"2025-05-27T16:15:32.880","lastModified":"2026-06-17T09:29:33.677","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"auth-js is an isomorphic Javascript library for Supabase Auth. Prior to version 2.70.0, the library functions getUserById, deleteUser, updateUserById, listFactors and deleteFactor did not require the user supplied values to be valid UUIDs. This could lead to a URL path traversal, resulting in the wrong API function being called. Implementations that follow security best practice and validate user controlled inputs, such as the userId are not affected by this. This issue has been patched in version 2.70.0."},{"lang":"es","value":"auth-js es una librería de Javascript isomórfica para Supabase Auth. Antes de la versión 2.69.1, las funciones de la librería getUserById, deleteUser, updateUserById, listFactors y deleteFactor no requerían que los valores proporcionados por el usuario fueran UUID válidos. Esto podía provocar un recorrido de la URL, lo que resultaba en la llamada a una función de API incorrecta. Las implementaciones que siguen las mejores prácticas de seguridad y validan las entradas controladas por el usuario, como el ID de usuario, no se ven afectadas. Este problema se ha corregido en la versión 2.69.1."}],"affected":[{"source":"security-advisories@github.com","affectedData":[{"vendor":"supabase","product":"auth-js","versions":[{"version":"< 2.70.0","status":"affected"}]}]}],"metrics":{"cvssMetricV40":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"4.0","vectorString":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X","baseScore":2.7,"baseSeverity":"LOW","attackVector":"NETWORK","attackComplexity":"LOW","attackRequirements":"NONE","privilegesRequired":"NONE","userInteraction":"NONE","vulnConfidentialityImpact":"LOW","vulnIntegrityImpact":"LOW","vulnAvailabilityImpact":"NONE","subConfidentialityImpact":"NONE","subIntegrityImpact":"NONE","subAvailabilityImpact":"NONE","exploitMaturity":"UNREPORTED","confidentialityRequirement":"NOT_DEFINED","integrityRequirement":"NOT_DEFINED","availabilityRequirement":"NOT_DEFINED","modifiedAttackVector":"NOT_DEFINED","modifiedAttackComplexity":"NOT_DEFINED","modifiedAttackRequirements":"NOT_DEFINED","modifiedPrivilegesRequired":"NOT_DEFINED","modifiedUserInteraction":"NOT_DEFINED","modifiedVulnConfidentialityImpact":"NOT_DEFINED","modifiedVulnIntegrityImpact":"NOT_DEFINED","modifiedVulnAvailabilityImpact":"NOT_DEFINED","modifiedSubConfidentialityImpact":"NOT_DEFINED","modifiedSubIntegrityImpact":"NOT_DEFINED","modifiedSubAvailabilityImpact":"NOT_DEFINED","Safety":"NOT_DEFINED","Automatable":"NOT_DEFINED","Recovery":"NOT_DEFINED","valueDensity":"NOT_DEFINED","vulnerabilityResponseEffort":"NOT_DEFINED","providerUrgency":"NOT_DEFINED"}}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2025-05-27T15:36:43.947758Z","id":"CVE-2025-48370","options":[{"exploitation":"none"},{"automatable":"yes"},{"technicalImpact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-22"},{"lang":"en","value":"CWE-287"}]}],"references":[{"url":"https://github.com/supabase/auth-js/commit/1bcb76e479e51cd9bca2d7732d0bf3199e07a693","source":"security-advisories@github.com"},{"url":"https://github.com/supabase/auth-js/pull/1063","source":"security-advisories@github.com"},{"url":"https://github.com/supabase/auth-js/security/advisories/GHSA-8r88-6cj9-9fh5","source":"security-advisories@github.com"}]}}]}