MEDIUM · CVSS 5.3
CVE-2025-24840 — supabase-js session-refresh race condition
A race condition in supabase-js's automatic session-refresh logic could cause two tabs of the same user to receive access tokens belonging to different refresh cycles, confusing server-side authorization state.
Affects
- @supabase/supabase-js < 2.47.10
What an attacker does
When a user opens two tabs of your Supabase-backed app simultaneously, both trigger refresh. Before the patch, one tab could receive the other tab's token. For most apps this was a low-impact correctness bug; for multi-account / tenant-switching apps it became a cross-session data-leak.
How to detect
`npm ls @supabase/supabase-js`.
How to fix
Upgrade supabase-js to 2.47.10+.
How Securie catches it
Securie's Supabase specialist flags vulnerable supabase-js versions in any scanned repo.