GHSA-V3GR-W9GF-23CX The AuthKit Remix Library renders sensitive auth data in HTML

Summary Before 0.15.0, @workos-inc/authkit-remix returned sensitive authentication artifacts from the authkitLoader, specifically sealedSession and accessToken. Because these values were returned from the loader, they were embedded into the server-rendered HTML and became readable by any script...

GHSA-VQVC-9Q8X-VMQ6 The AuthKit React Router Library rendered sensitive auth data in HTML

In versions before 0.7.0, @workos-inc/authkit-react-router exposed sensitive authentication artifacts — specifically sealedSession and accessToken by returning them from the authkitLoader. This caused them to be rendered into the browser HTML. Impact This information disclosure could lead to...

The AuthKit React Router Library rendered sensitive auth data in HTML

In versions before 0.7.0, @workos-inc/authkit-react-router exposed sensitive authentication artifacts — specifically sealedSession and accessToken by returning them from the authkitLoader. This caused them to be rendered into the browser HTML. Impact This information disclosure could lead to...

PT-2025-32422 · Workos · Authkit

Name of the Vulnerable Software and Affected Versions: @workos-inc/authkit-remix versions 0.14.1 and below Description: The AuthKit library for Remix exposed sensitive authentication artifacts – specifically sealedSession and accessToken – by returning them from the authkitLoader, causing them to...

PT-2025-32421 · Workos · Authkit-React-Router

Name of the Vulnerable Software and Affected Versions: @workos-inc/authkit-react-router versions 0.6.1 and below Description: The AuthKit library for React Router exposes sensitive authentication artifacts – specifically sealedSession and accessToken – by returning them from the authkitLoader,...

CVE-2024-29901

The AuthKit library for Next.js provides helpers for authentication and session management using WorkOS & AuthKit with Next.js. A user can reuse an expired session by controlling the x-workos-session header. The vulnerability is patched in v0.4.2...

CVE-2024-51752

The AuthKit library for Next.js provides convenient helpers for authentication and session management using WorkOS & AuthKit with Next.js. In affected versions refresh tokens are logged to the console when the disabled by default debug flag, is enabled. This issue has been patched in version 0.13...

CVE-2024-51753

The AuthKit library for Remix provides convenient helpers for authentication and session management using WorkOS & AuthKit with Remix. In affected versions refresh tokens are logged to the console when the disabled by default debug flag, is enabled. This issue has been patched in version 0.4.1. A...

CVE-2025-23017

WorkOS Hosted AuthKit before 2025-01-07 allows a password authentication MFA bypass by enrolling a new authentication factor when the attacker knows the user's password. No exploitation occurred...

CVE-2025-23017

WorkOS Hosted AuthKit before 2025-01-07 allows a password authentication MFA bypass by enrolling a new authentication factor when the attacker knows the user's password. No exploitation occurred...

CVE-2025-23017

WorkOS Hosted AuthKit before 2025-01-07 allows a password authentication MFA bypass by enrolling a new authentication factor when the attacker knows the user's password. No exploitation occurred...

CVE-2025-23017

Vulnerability summary (CVE-2025-23017) : WorkOS Hosted AuthKit before 2025-01-07 is affected. An attacker who knows a user’s password can bypass MFA by enrolling a new authentication factor. The description notes that no exploitation occurred. The practical impact is a password-authentication MFA...

PT-2025-7718 · Workos · Workos Hosted Authkit

Name of the Vulnerable Software and Affected Versions: WorkOS Hosted AuthKit versions prior to 2025-01-07 Description: The issue allows a password authentication MFA bypass by enrolling a new authentication factor when the attacker knows the user's password. No exploitation occurred...

WorkOS Hosted AuthKit 安全漏洞

WorkOS Hosted AuthKit is a hosted, pre-built, customizable authentication UI from WorkOS. A security vulnerability exists in WorkOS Hosted AuthKit that stems from an attacker being able to bypass MFA authentication with knowledge of the user's password...

Information Exposure

@workos-inc/authkit-remix is vulnerable to Information Exposure. The vulnerability is due to the debug flag being enabled, which allows an attacker to view refresh tokens logged to the console...

CVE-2024-51752

The AuthKit library for Next.js provides convenient helpers for authentication and session management using WorkOS & AuthKit with Next.js. In affected versions refresh tokens are logged to the console when the disabled by default debug flag, is enabled. This issue has been patched in version 0.13...

CVE-2024-51753

The AuthKit library for Remix provides convenient helpers for authentication and session management using WorkOS & AuthKit with Remix. In affected versions refresh tokens are logged to the console when the disabled by default debug flag, is enabled. This issue has been patched in version 0.4.1. A...

CVE-2024-51752 Refresh tokens are logged when the debug flag is enabled in @workos-inc/authkit-nextjs

The AuthKit library for Next.js provides convenient helpers for authentication and session management using WorkOS & AuthKit with Next.js. In affected versions refresh tokens are logged to the console when the disabled by default debug flag, is enabled. This issue has been patched in version 0.13...

CVE-2024-51752

The CVE-2024-51752 entry concerns the AuthKit Next.js library for WorkOS/AuthKit integration. Affected versions log refresh tokens to the console when the debug flag is enabled, enabling potential token exposure through logs. The issue has a patched fix in version 0.13.2; upgrading to that versio...

CVE-2024-51752 Refresh tokens are logged when the debug flag is enabled in @workos-inc/authkit-nextjs

The AuthKit library for Next.js provides convenient helpers for authentication and session management using WorkOS & AuthKit with Next.js. In affected versions refresh tokens are logged to the console when the disabled by default debug flag, is enabled. This issue has been patched in version 0.13...