Listen to this Post
How the CVE Works:
The vulnerability in Supabase’s `auth-js` library arises from insufficient input validation in functions like getUserById, deleteUser, and updateUserById. These functions accept user-supplied values without enforcing UUID (v4) format checks. Attackers can manipulate these inputs to perform path traversal, leading to unintended API function calls. For example, a maliciously crafted `userId` could bypass expected routing, allowing unauthorized access or data manipulation. The flaw does not affect implementations where input validation is already enforced.
DailyCVE Form:
Platform: Supabase/auth-js
Version: < 2.69.1
Vulnerability: Path Traversal
Severity: Medium
Date: 2023-XX-XX
Prediction: Patch expected by 2023-XX-XX
What Undercode Say:
Exploitation:
- Craft a malformed `userId` or `factorId` without UUID validation.
2. Send manipulated requests to endpoints like `/user/:id`.
3. Trigger unintended function execution via path traversal.
Protection:
1. Upgrade to `auth-js` >= 2.69.1.
- Manually validate UUIDs before passing to library functions:
const isValidUUID = (id) => /^[0-9a-f]{8}-[0-9a-f]{4}-4[0-9a-f]{3}-[bash][0-9a-f]{3}-[0-9a-f]{12}$/i.test(id);
Analytics:
- Attack Vector: Low complexity, high reproducibility.
- Mitigation Cost: Minimal (library upgrade).
- Affected Systems: Supabase integrations without input validation.
Detection Commands:
Check auth-js version in package.json grep '"@supabase/auth-js"' package.json
Patch Verification:
// Post-upgrade test
import { createClient } from '@supabase/supabase-js';
const supabase = createClient(URL, KEY);
supabase.auth.api.getUserById("invalid-uuid"); // Should reject
Temporary Workaround:
// Middleware to enforce UUIDs
app.use('/user/:id', (req, res, next) => {
if (!isValidUUID(req.params.id)) return res.status(400).send("Invalid UUID");
next();
});
References:
- Supabase GHSA: supabase/auth-js1063
- UUID RFC: RFC 4122
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
