Description
Capgo (Cap-go/capgo) before 12.128.2 contains an information disclosure vulnerability in the Supabase PostgREST RPC function public.get_total_metrics(org_id), which is callable by the anon role using only the public sb_publishable_* key. An unauthenticated attacker can probe organization existence and leak sensitive usage metrics including MAU, bandwidth, and install counts by sending POST requests to /rest/v1/rpc/get_total_metrics with valid organization UUIDs.
Problem types
Exposure of Sensitive Information to an Unauthorized Actor
Product status
Any version before 12.128.2
12.128.2 (semver)
Credits
Judel777
References
github.com/.../capgo/security/advisories/GHSA-h5jf-xgvh-hgjw
github.com/.../capgo/security/advisories/GHSA-h5jf-xgvh-hgjw (GitHub Security Advisory (GHSA-h5jf-xgvh-hgjw))
www.vulncheck.com/...cs-disclosure-via-get-total-metrics-rpc (VulnCheck Advisory: Capgo - Unauthenticated Metrics Disclosure via get_total_metrics RPC)