Platform
nodejs
Component
auth-js
Opgelost in
2.70.1
2.70.0
CVE-2025-48370 is a path traversal vulnerability discovered in the auth-js library. This flaw arises from inadequate validation of user-supplied UUIDs within several API functions, potentially allowing an attacker to manipulate the API endpoint. Versions of auth-js prior to 2.70.0 are affected. A patch has been released, requiring strict UUID validation for user-controlled parameters.
The vulnerability lies in the getUserById, deleteUser, updateUserById, listFactors, and deleteFactor functions within auth-js. Because these functions do not properly validate the userId and factorId parameters as valid UUIDs (v4 format), a malicious actor can craft a URL that bypasses intended API calls. This could lead to unauthorized access or modification of data, depending on the underlying application logic. While implementations that already validate user inputs are not vulnerable, many applications may not have such protections in place, creating a significant attack surface. The potential impact ranges from data exposure to privilege escalation, depending on the application’s configuration and the attacker’s ability to exploit the bypassed API calls.
This vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet widely available, suggesting a relatively low probability of immediate exploitation. However, the ease of exploitation once a PoC is released could change this assessment. The vulnerability was publicly disclosed on 2025-05-27.
Applications utilizing auth-js version 2.70.0 or earlier, particularly those lacking robust input validation on user-supplied identifiers, are at risk. Shared hosting environments where multiple applications share the same auth-js instance could amplify the impact, as a vulnerability in one application could potentially expose others.
• nodejs:
npm list auth-js
# Check version. If <= 2.70.0, the system is vulnerable.• generic web:
curl -I 'https://your-application.com/api/auth/user/invalid-uuid' # Check for unexpected API responses or errors indicating path traversal.disclosure
Exploit Status
EPSS
0.21% (44% percentiel)
CISA SSVC
The primary mitigation is to upgrade to auth-js version 2.70.0 or later. This version includes strict UUID validation checks for the affected API functions, preventing the path traversal vulnerability. If upgrading immediately is not feasible, consider implementing input validation on the application side to ensure that userId and factorId parameters conform to the UUID v4 format before passing them to the auth-js library. While not a complete solution, this can reduce the attack surface. Monitor application logs for unusual API calls or requests containing invalid UUIDs, which could indicate an attempted exploitation. There are no specific WAF rules or Sigma/YARA patterns readily available for this vulnerability, making application-level validation and log monitoring crucial.
Actualiseer de auth-js bibliotheek naar versie 2.70.0 of hoger om de path traversal kwetsbaarheid te mitigeren. Deze update vereist dat door de gebruiker aangeleverde waarden, zoals de gebruikers-ID, geldige UUID's zijn, waardoor de uitvoering van incorrecte API-functies wordt voorkomen.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-48370 is a path traversal vulnerability in the auth-js library, allowing attackers to potentially bypass intended API calls due to insufficient UUID validation.
You are affected if you are using auth-js version 2.70.0 or earlier. Upgrade to 2.70.0 or later to resolve the vulnerability.
Upgrade to auth-js version 2.70.0 or later. If immediate upgrade is not possible, implement input validation on user-supplied UUIDs.
There are currently no confirmed reports of active exploitation, but the ease of exploitation warrants caution.
Refer to the auth-js project's release notes and security advisories on their official repository for the latest information.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.