Impact

A vulnerability has been identified which can allow user impersonation of certain Supabase Auth users. We have found no evidence of exploitation on the hosted platform and we are publishing this advisory for developers self-hosting Auth.

All hosted projects on the Supabase Platform have been patched. The following remediation and recommendations are only relevant if you are self hosting the Auth server.

On all self-hosted versions of Auth, an attacker could obtain access to the user’s account if a successful attack is carried out.

CVSS3.0: AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N (High, 7.3)

Attack Vector

By modifying the X-Forwarded-Host and X-Forwarded-Proto headers, an attacker can control the URL in the emails sent by the Auth server. When a link is opened, the security code in the URL could be sent to the attacker's server, allowing the attacker to gain access to the user's account.

Affected Versions

Auth versions 2.67.1 through 2.163.0 are affected.

Remediation

Please upgrade to the current latest version, 2.163.1, which contains the patch.

• v2.163.1 uses an allowlist to filter values sent in X-Forwarded-Host. Configure it via the GOTRUE_MAILER_EXTERNAL_HOSTS environment variable with the hosts you would like to allow in email templates.
• By default no hosts are allowed.

Security Recommendations

Take the following additional security precautions:

Remove unchecked X-Forwarded-Host and X-Forwarded-Proto headers

If you use a HTTP Proxy, strip all unsanitized X-Forwarded-Host and X-Forwarded-Proto headers from incoming requests into the proxy

• Some proxies may forward the Host header in the X-Forwarded-Host header without sanitization or checks. As such, configure the proxy to strip the X-Forwarded-Host header before the request reaches the Auth server.

Here’s additional information based on commonly used HTTP proxies:

• Kong (Docs)
  • Kong sanitizes X-Forwarded-Host and X-Forwarded-Proto headers, however depending on your set up you may need to do additional checks to ensure that these headers cannot be manipulated.
  • Kong can directly set the Host header as the X-Forwarded-Host without additional checks. Ensure that your setup does not allow for this.
• Envoy (Docs)
  • Envoy does not sanitize the X-Forwarded-Host header. Ensure that you remove the header by using a Header Mutation HTTP Filter
• Nginx (Docs)
  • Use the proxy_hide_header command to remove the X-Forwarded-Host header.
• Traefik: (Docs)
  • Remove the X-Forwarded-Host header.

Terminate Active User Sessions

Terminate all active user sessions. After the JWT expiry period (default: 1 hour) users would need to sign-in again. If an attacker has gained access to any one of their accounts, this will revoke it.

You can do this by executing the following query inside your database:

UPDATE auth.sessions SET not_after = NOW() FROM auth.identities WHERE auth.identities.provider = 'email' AND auth.sessions.user_id = auth.identities.user_id;

Alternatively you can delete the affected sessions, however the above approach is safer and reversible. The Auth server will slowly delete these session rows over a few days.

Notify Affected Users

Affected users typically have:

• An increased number of forgot password requests, with subsequent successful authentication.
• Links in messages that use hostnames which you do not control. Some email-sending services retain sent email messages, which would allow one to identify compromised links from them.

Notify users at your discretion and advise affected users to change their password.

Enable Multi-Factor Authentication

Ask your users to enroll in Multi-Factor Authentication (MFA) and enforce it in your application. Auth currently supports MFA with SMS and Time-based One-Time Password (TOTP).

References

If you have any questions or comments about this advisory:

• Open a ticket or email us at [email protected]
• For future security updates, we recommend subscribing to security alerts: