Skip to content

User object created with invalid provider data in GoTrue

Moderate severity GitHub Reviewed Published Feb 9, 2022 in netlify/gotrue • Updated Jan 11, 2023

Package

gomod github.com/netlify/gotrue (Go)

Affected versions

< 1.0.1

Patched versions

1.0.1

Description

Impact

What kind of vulnerability is it? Who is impacted?

Under certain circumstances a valid user object would have been created with invalid provider metadata.

This vulnerability affects everyone running an instance of GoTrue as a service. We advise you to update especially if you are using the provider metadata from the user object to secure other resources.

Patches

Has the problem been patched? What versions should users upgrade to?

A patch is available with the release of version 1.0.1 on Github.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

If you don't rely on the provider metadata in the user object, you might not be affected. We still strongly recommend upgrading.

References

Are there any links users can visit to find out more?

This problem was initially found and reported by the team at Supabase: GHSA-5hvv-9cqv-894r. We want to thank them for the cooperation around this report.

In contrast to their advisory, we decided to set the severity to "Moderate" since the provider metadata is not an inherent security feature of this GoTrue codebase or the Netlify ecosystem.

For more information

If you have any questions or comments about this advisory:

References

@mraerino mraerino published to netlify/gotrue Feb 9, 2022
Published to the GitHub Advisory Database Feb 9, 2022
Reviewed Feb 9, 2022
Last updated Jan 11, 2023

Severity

Moderate

Weaknesses

No CWEs

CVE ID

No known CVE

GHSA ID

GHSA-wpfr-6297-9v57

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.