CVE-2025-48370: 
JavaScript vulnerability analysis and mitigation

CVE-2025-48370 affects auth-js, an isomorphic Javascript library for Supabase Auth. The vulnerability was discovered and disclosed in May 2025, impacting versions prior to 2.69.1. The issue involves several library functions (getUserById, deleteUser, updateUserById, listFactors, and deleteFactor) that failed to properly validate UUID parameters, potentially leading to URL path traversal vulnerabilities (GitHub Advisory).

The vulnerability stems from the library's failure to enforce UUID validation on user-supplied values in specific functions. This implementation weakness could result in URL path traversal, potentially causing incorrect API function calls. The vulnerability has been assigned a CVSS v4.0 score of 2.7 (LOW) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U. The issue is classified under CWE-287 (Improper Authentication) and CWE-22 (Path Traversal) (NVD).

The vulnerability could allow attackers to manipulate API function calls through URL path traversal. However, the impact is limited to implementations that do not follow security best practices for input validation. Organizations that properly validate user-controlled inputs before passing them to the library functions are not affected by this vulnerability (GitHub Advisory).

The issue has been patched in version 2.69.1, which implements strict value checks requiring valid UUID (v4) for userId and factorId parameters. As a workaround, users should implement proper input validation before passing values to the library functions. It is recommended to follow security best practices and validate all inputs before passing them to other functions or libraries (GitHub Advisory, GitHub Pull).