@mastra/auth-workos (>=0.0.0-a2a-vnext-20260424123427 <=1.2.0-alpha.0), @workos/authkit-sveltekit (>=0.0.1-alpha.0 <=0.2.0) +1 more potentially affected by CVE-2026-42565 via @workos/authkit-session (>=0.0.1-alpha.3 <=0.4.0)

@workos/authkit-session NPM version =0.0.1-alpha.3, =0.0.0-a2a-vnext-20260424123427, =0.0.1-alpha.0, =0.1.0, =0.6.0 Source cves: CVE-2026-42565 Source advisory: SNYK:JS-WORKOSAUTHKITSESSION-16425670...

@mastra/auth-workos (>=0.0.0-a2a-vnext-20260424123427 <=1.2.0-alpha.0), @workos/authkit-sveltekit (>=0.0.1-alpha.0 <=0.2.0) +1 more potentially affected by CVE-2026-42565 via @workos/authkit-session (>=0.0.1-alpha.3 <=0.4.0)

@workos/authkit-session NPM version =0.0.1-alpha.3, =0.0.0-a2a-vnext-20260424123427, =0.0.1-alpha.0, =0.1.0, =0.6.0 Source cves: CVE-2026-42565 Source advisory: OSV:GHSA-VVVV-983W-R7PV...

Open Redirect

Overview @workos/authkit-session is a Framework-agnostic authentication library for WorkOS with pluggable storage adapters Affected versions of this package are vulnerable to Open Redirect via the handleCallback function when processing the returnPathname value derived from the OAuth state...

GHSA-VVVV-983W-R7PV @workos/authkit-session has an Open Redirect via state-derived redirect target

An open redirect vulnerability exists in AuthService.handleCallback due to insufficient validation of the returnPathname value derived from the OAuth state parameter. The state parameter is round-tripped through the identity provider IdP and can be influenced by an attacker. The handleCallback...

CVE-2025-23017

WorkOS Hosted AuthKit before 2025-01-07 allows a password authentication MFA bypass by enrolling a new authentication factor when the attacker knows the user's password. No exploitation occurred...

EUVD-2025-4298

Malicious code in bioql PyPI...

EUVD-2025-24030

Malicious code in bioql PyPI...

CVE-2025-55009

The AuthKit library for Remix provides convenient helpers for authentication and session management using WorkOS & AuthKit with Remix. In versions 0.14.1 and below, @workos-inc/authkit-remix exposed sensitive authentication artifacts — specifically sealedSession and accessToken — by returning the...

CVE-2025-55008

The AuthKit library for React Router 7+ provides helpers for authentication and session management using WorkOS & AuthKit with React Router. In versions 0.6.1 and below, @workos-inc/authkit-react-router exposed sensitive authentication artifacts — specifically sealedSession and accessToken by...

Information Exposure

Overview @workos-inc/authkit-react-router is an Authentication and session helpers for using WorkOS & AuthKit with React Router 7+ Affected versions of this package are vulnerable to Information Exposure via the accessToken and sealedSession parameters in the authkitLoader function. An attacker c...

CVE-2025-55008 AuthKit React Router: Sensitive auth data rendered in HTML

The AuthKit library for React Router 7+ provides helpers for authentication and session management using WorkOS & AuthKit with React Router. In versions 0.6.1 and below, @workos-inc/authkit-react-router exposed sensitive authentication artifacts — specifically sealedSession and accessToken by...

CVE-2025-55009 AuthKit: Sensitive auth data rendered in HTML

The AuthKit library for Remix provides convenient helpers for authentication and session management using WorkOS & AuthKit with Remix. In versions 0.14.1 and below, @workos-inc/authkit-remix exposed sensitive authentication artifacts — specifically sealedSession and accessToken — by returning the...

CVE-2024-29901

The AuthKit library for Next.js provides helpers for authentication and session management using WorkOS & AuthKit with Next.js. A user can reuse an expired session by controlling the x-workos-session header. The vulnerability is patched in v0.4.2...

CVE-2025-23017

WorkOS Hosted AuthKit before 2025-01-07 allows a password authentication MFA bypass by enrolling a new authentication factor when the attacker knows the user's password. No exploitation occurred...

CVE-2025-23017

WorkOS Hosted AuthKit before 2025-01-07 allows a password authentication MFA bypass by enrolling a new authentication factor when the attacker knows the user's password. No exploitation occurred...

CVE-2025-23017

Vulnerability summary (CVE-2025-23017) : WorkOS Hosted AuthKit before 2025-01-07 is affected. An attacker who knows a user’s password can bypass MFA by enrolling a new authentication factor. The description notes that no exploitation occurred. The practical impact is a password-authentication MFA...

CVE-2025-23017

WorkOS Hosted AuthKit before 2025-01-07 allows a password authentication MFA bypass by enrolling a new authentication factor when the attacker knows the user's password. No exploitation occurred...

PT-2025-7718 · Workos · Workos Hosted Authkit

Name of the Vulnerable Software and Affected Versions: WorkOS Hosted AuthKit versions prior to 2025-01-07 Description: The issue allows a password authentication MFA bypass by enrolling a new authentication factor when the attacker knows the user's password. No exploitation occurred...

WorkOS Hosted AuthKit 安全漏洞

WorkOS Hosted AuthKit is a hosted, pre-built, customizable authentication UI from WorkOS. A security vulnerability exists in WorkOS Hosted AuthKit that stems from an attacker being able to bypass MFA authentication with knowledge of the user's password...

Information Exposure

@workos-inc/authkit-remix is vulnerable to Information Exposure. The vulnerability is due to the debug flag being enabled, which allows an attacker to view refresh tokens logged to the console...