CRE-2025-0133

Supabase Self-Hosted: Storage Service Fails Due to S3 MisconfigurationMedium

Impact: 7/10

Mitigation: 4/10

CRE-2025-0133View on GitHub

SupabaseStorageS3AWSConfigurationApi KeySelf-HostedInfrastructurePublic

Description

Detects when Supabase Storage service fails due to incorrect S3 configuration including invalid credentials,\nnon-existent buckets, or wrong S3 endpoint settings. This affects file upload/download operations and\nprevents the storage API from functioning properly.\n

Mitigation

IMMEDIATE:\n - Verify S3 credentials: Test with AWS CLI `aws s3 ls s3://your-bucket`\n - Check bucket existence and permissions in AWS Console\n - Validate S3 region matches configuration\nCONFIGURATION:\n - Update .env with correct S3 credentials:\n ```\n AWS_ACCESS_KEY_ID=valid_access_key\n AWS_SECRET_ACCESS_KEY=valid_secret_key\n AWS_DEFAULT_REGION=correct_region\n S3_BUCKET=existing_bucket_name\n ```\n - Ensure S3 bucket policy allows storage service operations\n - Test connectivity to S3 endpoint from container network\nPREVENTION:\n - Use IAM roles instead of access keys when possible\n - Implement S3 configuration validation in deployment scripts\n - Set up monitoring for S3 API call failures\n

References

• https://supabase.com/docs/guides/storage/s3
• https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-access-control.html