CRE-2025-0140

Supabase Self-Hosted: Realtime Service Crash Due to Invalid ConfigurationMedium

Impact: 6/10

Mitigation: 5/10

CRE-2025-0140View on GitHub

SupabaseRealtimeConfigurationReplicationConnectionSelf-HostedConfiguration FailurePublic

Description

Detects when Supabase Realtime service fails to start or crashes due to invalid configuration parameters.\nThis affects WebSocket connections, real-time subscriptions, and live data streaming capabilities.\nCommon issues include invalid replication modes, missing database permissions, or incorrect environment variables.\n

Mitigation

IMMEDIATE:\n - Check realtime service logs: `docker-compose logs realtime`\n - Validate realtime environment variables in .env\n - Ensure database is accessible from realtime service\nCONFIGURATION:\n - Remove invalid REPLICATION_MODE if not using custom replication\n - Verify database connection settings:\n ```\n DB_HOST=db\n DB_PORT=5432\n DB_USER=supabase_realtime_admin\n ```\n - Set valid SECRET_KEY_BASE (64+ character random string)\n - Remove FLY_* variables if not deploying on Fly.io\nDATABASE:\n - Ensure realtime schema exists and has proper permissions\n - Check if supabase_realtime_admin role exists and has access\n - Verify _realtime schema is properly configured\n

References

• https://supabase.com/docs/guides/realtime
• https://github.com/supabase/realtime