Impact
A vulnerability has been identified which can allow user impersonation of certain Supabase Auth users. We have found no evidence of exploitation on the hosted platform and we are publishing this advisory for developers self-hosting Auth.
All hosted projects on the Supabase Platform have been patched. The following remediation and recommendations are only relevant if you are self hosting the Auth server.
On all self-hosted versions of Auth, an attacker could obtain access to the user’s account if a successful attack is carried out.
CVSS3.0: AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N (High, 7.3)
Attack Vector
By modifying the X-Forwarded-Host and X-Forwarded-Proto headers, an attacker can control the URL in the emails sent by the Auth server. When a link is opened, the security code in the URL could be sent to the attacker's server, allowing the attacker to gain access to the user's account.
Affected Versions
Auth versions 2.67.1 through 2.163.0 are affected.
Remediation
Please upgrade to the current latest version, 2.163.1, which contains the patch.
- v2.163.1 uses an allowlist to filter values sent in
X-Forwarded-Host
. Configure it via the GOTRUE_MAILER_EXTERNAL_HOSTS
environment variable with the hosts you would like to allow in email templates.
- By default no hosts are allowed.
Security Recommendations
Take the following additional security precautions:
Remove unchecked X-Forwarded-Host
and X-Forwarded-Proto
headers
If you use a HTTP Proxy, strip all unsanitized X-Forwarded-Host
and X-Forwarded-Proto
headers from incoming requests into the proxy
- Some proxies may forward the
Host
header in the X-Forwarded-Host
header without sanitization or checks. As such, configure the proxy to strip the X-Forwarded-Host
header before the request reaches the Auth server.
Here’s additional information based on commonly used HTTP proxies:
- Kong (Docs)
- Kong sanitizes
X-Forwarded-Host
and X-Forwarded-Proto
headers, however depending on your set up you may need to do additional checks to ensure that these headers cannot be manipulated.
- Kong can directly set the
Host
header as the X-Forwarded-Host
without additional checks. Ensure that your setup does not allow for this.
- Envoy (Docs)
- Nginx (Docs)
- Use the
proxy_hide_header
command to remove the X-Forwarded-Host
header.
- Traefik: (Docs)
- Remove the
X-Forwarded-Host
header.
Terminate Active User Sessions
Terminate all active user sessions. After the JWT expiry period (default: 1 hour) users would need to sign-in again. If an attacker has gained access to any one of their accounts, this will revoke it.
You can do this by executing the following query inside your database:
UPDATE auth.sessions SET not_after = NOW() FROM auth.identities WHERE auth.identities.provider = 'email' AND auth.sessions.user_id = auth.identities.user_id;
Alternatively you can delete the affected sessions, however the above approach is safer and reversible. The Auth server will slowly delete these session rows over a few days.
Notify Affected Users
Affected users typically have:
- An increased number of forgot password requests, with subsequent successful authentication.
- Links in messages that use hostnames which you do not control. Some email-sending services retain sent email messages, which would allow one to identify compromised links from them.
Notify users at your discretion and advise affected users to change their password.
Enable Multi-Factor Authentication
Ask your users to enroll in Multi-Factor Authentication (MFA) and enforce it in your application. Auth currently supports MFA with SMS and Time-based One-Time Password (TOTP).
References
If you have any questions or comments about this advisory:
Impact
A vulnerability has been identified which can allow user impersonation of certain Supabase Auth users. We have found no evidence of exploitation on the hosted platform and we are publishing this advisory for developers self-hosting Auth.
All hosted projects on the Supabase Platform have been patched. The following remediation and recommendations are only relevant if you are self hosting the Auth server.
On all self-hosted versions of Auth, an attacker could obtain access to the user’s account if a successful attack is carried out.
CVSS3.0: AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N (High, 7.3)
Attack Vector
By modifying the X-Forwarded-Host and X-Forwarded-Proto headers, an attacker can control the URL in the emails sent by the Auth server. When a link is opened, the security code in the URL could be sent to the attacker's server, allowing the attacker to gain access to the user's account.
Affected Versions
Auth versions 2.67.1 through 2.163.0 are affected.
Remediation
Please upgrade to the current latest version, 2.163.1, which contains the patch.
X-Forwarded-Host
. Configure it via theGOTRUE_MAILER_EXTERNAL_HOSTS
environment variable with the hosts you would like to allow in email templates.Security Recommendations
Take the following additional security precautions:
Remove unchecked
X-Forwarded-Host
andX-Forwarded-Proto
headersIf you use a HTTP Proxy, strip all unsanitized
X-Forwarded-Host
andX-Forwarded-Proto
headers from incoming requests into the proxyHost
header in theX-Forwarded-Host
header without sanitization or checks. As such, configure the proxy to strip theX-Forwarded-Host
header before the request reaches the Auth server.Here’s additional information based on commonly used HTTP proxies:
X-Forwarded-Host
andX-Forwarded-Proto
headers, however depending on your set up you may need to do additional checks to ensure that these headers cannot be manipulated.Host
header as theX-Forwarded-Host
without additional checks. Ensure that your setup does not allow for this.X-Forwarded-Host
header. Ensure that you remove the header by using a Header Mutation HTTP Filterproxy_hide_header
command to remove theX-Forwarded-Host
header.X-Forwarded-Host
header.Terminate Active User Sessions
Terminate all active user sessions. After the JWT expiry period (default: 1 hour) users would need to sign-in again. If an attacker has gained access to any one of their accounts, this will revoke it.
You can do this by executing the following query inside your database:
Alternatively you can delete the affected sessions, however the above approach is safer and reversible. The Auth server will slowly delete these session rows over a few days.
Notify Affected Users
Affected users typically have:
Notify users at your discretion and advise affected users to change their password.
Enable Multi-Factor Authentication
Ask your users to enroll in Multi-Factor Authentication (MFA) and enforce it in your application. Auth currently supports MFA with SMS and Time-based One-Time Password (TOTP).
References
If you have any questions or comments about this advisory: