Plateforme
nodejs
Composant
auth-js
Corrigé dans
2.70.1
2.70.0
CVE-2025-48370 is a path traversal vulnerability discovered in the auth-js library. This flaw arises from inadequate validation of user-supplied UUIDs within several API functions, potentially allowing an attacker to manipulate the API endpoint. Versions of auth-js prior to 2.70.0 are affected. A patch has been released, requiring strict UUID validation for user-controlled parameters.
The vulnerability lies in the getUserById, deleteUser, updateUserById, listFactors, and deleteFactor functions within auth-js. Because these functions do not properly validate the userId and factorId parameters as valid UUIDs (v4 format), a malicious actor can craft a URL that bypasses intended API calls. This could lead to unauthorized access or modification of data, depending on the underlying application logic. While implementations that already validate user inputs are not vulnerable, many applications may not have such protections in place, creating a significant attack surface. The potential impact ranges from data exposure to privilege escalation, depending on the application’s configuration and the attacker’s ability to exploit the bypassed API calls.
This vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet widely available, suggesting a relatively low probability of immediate exploitation. However, the ease of exploitation once a PoC is released could change this assessment. The vulnerability was publicly disclosed on 2025-05-27.
Applications utilizing auth-js version 2.70.0 or earlier, particularly those lacking robust input validation on user-supplied identifiers, are at risk. Shared hosting environments where multiple applications share the same auth-js instance could amplify the impact, as a vulnerability in one application could potentially expose others.
• nodejs:
npm list auth-js
# Check version. If <= 2.70.0, the system is vulnerable.• generic web:
curl -I 'https://your-application.com/api/auth/user/invalid-uuid' # Check for unexpected API responses or errors indicating path traversal.disclosure
Statut de l'Exploit
EPSS
0.21% (percentile 44%)
CISA SSVC
The primary mitigation is to upgrade to auth-js version 2.70.0 or later. This version includes strict UUID validation checks for the affected API functions, preventing the path traversal vulnerability. If upgrading immediately is not feasible, consider implementing input validation on the application side to ensure that userId and factorId parameters conform to the UUID v4 format before passing them to the auth-js library. While not a complete solution, this can reduce the attack surface. Monitor application logs for unusual API calls or requests containing invalid UUIDs, which could indicate an attempted exploitation. There are no specific WAF rules or Sigma/YARA patterns readily available for this vulnerability, making application-level validation and log monitoring crucial.
Mettez à jour la bibliothèque auth-js à la version 2.70.0 ou supérieure pour atténuer la vulnérabilité de traversal de chemin. Cette mise à jour exige que les valeurs fournies par l'utilisateur, telles que l'ID utilisateur, soient des UUID valides, empêchant ainsi l'exécution de fonctions API incorrectes.
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-48370 is a path traversal vulnerability in the auth-js library, allowing attackers to potentially bypass intended API calls due to insufficient UUID validation.
You are affected if you are using auth-js version 2.70.0 or earlier. Upgrade to 2.70.0 or later to resolve the vulnerability.
Upgrade to auth-js version 2.70.0 or later. If immediate upgrade is not possible, implement input validation on user-supplied UUIDs.
There are currently no confirmed reports of active exploitation, but the ease of exploitation warrants caution.
Refer to the auth-js project's release notes and security advisories on their official repository for the latest information.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.