CVE-2025-48370 is a vulnerability identified in the supabase auth-js library, an isomorphic JavaScript library used for Supabase authentication. The issue affects versions prior to 2.69.1 and involves improper authentication due to insufficient validation of user-supplied UUID inputs in several key functions: getUserById, deleteUser, updateUserById, listFactors, and deleteFactor. Specifically, these functions did not enforce that the user-supplied values were valid UUIDs, allowing attackers to exploit this by crafting inputs that could lead to URL path traversal. This path traversal could cause the API to invoke unintended functions, potentially exposing or manipulating data incorrectly. The vulnerability is classified under CWE-287 (Improper Authentication) and CWE-22 (Path Traversal). The flaw does not require authentication or user interaction and can be exploited remotely over the network. However, the impact is limited due to the nature of the flaw and the requirement that implementations not following best practices for input validation are vulnerable. The issue has been addressed and patched in version 2.69.1 of auth-js. The CVSS 4.0 base score is 2.7, indicating a low severity vulnerability, reflecting limited impact on confidentiality, integrity, and availability. No known exploits are reported in the wild at this time.

For European organizations using Supabase's auth-js library versions prior to 2.69.1, this vulnerability could allow attackers to manipulate API calls by exploiting improper input validation, potentially leading to unauthorized access or modification of user authentication data. While the severity is low, the risk increases if the affected implementations do not perform their own input validation, which is a recommended security best practice. The impact could include unauthorized user data exposure or manipulation of authentication factors, which may undermine trust in identity management systems. Given that Supabase is popular among startups and developers for backend services, organizations relying on this library for critical authentication workflows could face disruptions or data integrity issues if exploited. However, the low CVSS score and absence of known exploits suggest the immediate risk is limited. Still, organizations in sectors with strict data protection regulations, such as finance or healthcare, should prioritize patching to maintain compliance and security posture.

European organizations should immediately upgrade the supabase auth-js library to version 2.69.1 or later to remediate this vulnerability. Additionally, they should implement strict validation of all user-supplied inputs, especially UUIDs used in authentication-related API calls, to ensure they conform to expected formats before processing. Employing input validation libraries or regex checks for UUID format can prevent path traversal attacks. Organizations should also conduct code audits and penetration testing focused on authentication workflows to detect any similar weaknesses. Monitoring API logs for unusual or malformed requests targeting authentication endpoints can help detect exploitation attempts. Finally, integrating runtime application self-protection (RASP) or web application firewalls (WAF) with rules targeting path traversal patterns can provide an additional layer of defense.