34 matches found
Malicious code in @mastra/auth-workos (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6fda21074dd42e87b39d51daa2005f7387067b9d8cd59742a05eec6515e40643 The package was found to contain malicious code or consuming dependency that contains malicious code Source: ghsa-malware...
MAL-2026-6003 Malicious code in @mastra/auth-workos (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6fda21074dd42e87b39d51daa2005f7387067b9d8cd59742a05eec6515e40643 The package was found to contain malicious code or consuming dependency that contains malicious code Source: ghsa-malware...
@mastra/auth-workos (>=0.0.0-a2a-vnext-20260424123427 <=1.5.1-alpha.0), @workos/authkit-sveltekit (>=0.0.1-alpha.0 <=0.2.0) +1 more potentially affected by CVE-2026-42565 via @workos/authkit-session (>=0.0.1-alpha.3 <=0.4.0)
@workos/authkit-session NPM version =0.0.1-alpha.3, =0.0.0-a2a-vnext-20260424123427, =0.0.1-alpha.0, =0.1.0, =0.6.0 Source cves: CVE-2026-42565 Source advisory: OSV:GHSA-VVVV-983W-R7PV...
@mastra/auth-workos (>=0.0.0-a2a-vnext-20260424123427 <=1.5.1-alpha.0), @workos/authkit-sveltekit (>=0.0.1-alpha.0 <=0.2.0) +1 more potentially affected by CVE-2026-42565 via @workos/authkit-session (>=0.0.1-alpha.3 <=0.4.0)
@workos/authkit-session NPM version =0.0.1-alpha.3, =0.0.0-a2a-vnext-20260424123427, =0.0.1-alpha.0, =0.1.0, =0.6.0 Source cves: CVE-2026-42565 Source advisory: SNYK:JS-WORKOSAUTHKITSESSION-16425670...
Open Redirect
Overview @workos/authkit-session is a Framework-agnostic authentication library for WorkOS with pluggable storage adapters Affected versions of this package are vulnerable to Open Redirect via the handleCallback function when processing the returnPathname value derived from the OAuth state...
GHSA-VVVV-983W-R7PV @workos/authkit-session has an Open Redirect via state-derived redirect target
An open redirect vulnerability exists in AuthService.handleCallback due to insufficient validation of the returnPathname value derived from the OAuth state parameter. The state parameter is round-tripped through the identity provider IdP and can be influenced by an attacker. The handleCallback...
CVE-2025-23017
WorkOS Hosted AuthKit before 2025-01-07 allows a password authentication MFA bypass by enrolling a new authentication factor when the attacker knows the user's password. No exploitation occurred...
EUVD-2025-24030
Malicious code in bioql PyPI...
EUVD-2025-4298
Malicious code in bioql PyPI...
CVE-2025-55008
The AuthKit library for React Router 7+ provides helpers for authentication and session management using WorkOS & AuthKit with React Router. In versions 0.6.1 and below, @workos-inc/authkit-react-router exposed sensitive authentication artifacts — specifically sealedSession and accessToken by...
CVE-2025-55009
The AuthKit library for Remix provides convenient helpers for authentication and session management using WorkOS & AuthKit with Remix. In versions 0.14.1 and below, @workos-inc/authkit-remix exposed sensitive authentication artifacts — specifically sealedSession and accessToken — by returning the...
Information Exposure
Overview @workos-inc/authkit-react-router is an Authentication and session helpers for using WorkOS & AuthKit with React Router 7+ Affected versions of this package are vulnerable to Information Exposure via the accessToken and sealedSession parameters in the authkitLoader function. An attacker c...
CVE-2025-55008 AuthKit React Router: Sensitive auth data rendered in HTML
The AuthKit library for React Router 7+ provides helpers for authentication and session management using WorkOS & AuthKit with React Router. In versions 0.6.1 and below, @workos-inc/authkit-react-router exposed sensitive authentication artifacts — specifically sealedSession and accessToken by...
CVE-2025-55009 AuthKit: Sensitive auth data rendered in HTML
The AuthKit library for Remix provides convenient helpers for authentication and session management using WorkOS & AuthKit with Remix. In versions 0.14.1 and below, @workos-inc/authkit-remix exposed sensitive authentication artifacts — specifically sealedSession and accessToken — by returning the...
CVE-2024-29901
The AuthKit library for Next.js provides helpers for authentication and session management using WorkOS & AuthKit with Next.js. A user can reuse an expired session by controlling the x-workos-session header. The vulnerability is patched in v0.4.2...
CVE-2025-23017
WorkOS Hosted AuthKit before 2025-01-07 allows a password authentication MFA bypass by enrolling a new authentication factor when the attacker knows the user's password. No exploitation occurred...
CVE-2025-23017
WorkOS Hosted AuthKit before 2025-01-07 allows a password authentication MFA bypass by enrolling a new authentication factor when the attacker knows the user's password. No exploitation occurred...
PT-2025-7718 · Workos · Workos Hosted Authkit
Name of the Vulnerable Software and Affected Versions: WorkOS Hosted AuthKit versions prior to 2025-01-07 Description: The issue allows a password authentication MFA bypass by enrolling a new authentication factor when the attacker knows the user's password. No exploitation occurred...
CVE-2025-23017
WorkOS Hosted AuthKit before 2025-01-07 allows a password authentication MFA bypass by enrolling a new authentication factor when the attacker knows the user's password. No exploitation occurred...
WorkOS Hosted AuthKit 安全漏洞
WorkOS Hosted AuthKit is a hosted, pre-built, customizable authentication UI from WorkOS. A security vulnerability exists in WorkOS Hosted AuthKit that stems from an attacker being able to bypass MFA authentication with knowledge of the user's password...