Lucene search
+L

34 matches found

ossf
ossf
added 2026/06/17 4:57 a.m.10 views

Malicious code in @mastra/auth-workos (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6fda21074dd42e87b39d51daa2005f7387067b9d8cd59742a05eec6515e40643 The package was found to contain malicious code or consuming dependency that contains malicious code Source: ghsa-malware...

5.9AI score
Exploits0References2
osv
osv
added 2026/06/17 4:57 a.m.6 views

MAL-2026-6003 Malicious code in @mastra/auth-workos (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6fda21074dd42e87b39d51daa2005f7387067b9d8cd59742a05eec6515e40643 The package was found to contain malicious code or consuming dependency that contains malicious code Source: ghsa-malware...

6.1AI score
Exploits0References2
vulnersosv
vulnersosv
added 2026/05/05 6:42 p.m.7 views

@mastra/auth-workos (>=0.0.0-a2a-vnext-20260424123427 <=1.5.1-alpha.0), @workos/authkit-sveltekit (>=0.0.1-alpha.0 <=0.2.0) +1 more potentially affected by CVE-2026-42565 via @workos/authkit-session (>=0.0.1-alpha.3 <=0.4.0)

@workos/authkit-session NPM version =0.0.1-alpha.3, =0.0.0-a2a-vnext-20260424123427, =0.0.1-alpha.0, =0.1.0, =0.6.0 Source cves: CVE-2026-42565 Source advisory: OSV:GHSA-VVVV-983W-R7PV...

4.3CVSS5.7AI score0.00196EPSS
Exploits0
vulnersosv
vulnersosv
added 2026/05/05 6:42 p.m.8 views

@mastra/auth-workos (>=0.0.0-a2a-vnext-20260424123427 <=1.5.1-alpha.0), @workos/authkit-sveltekit (>=0.0.1-alpha.0 <=0.2.0) +1 more potentially affected by CVE-2026-42565 via @workos/authkit-session (>=0.0.1-alpha.3 <=0.4.0)

@workos/authkit-session NPM version =0.0.1-alpha.3, =0.0.0-a2a-vnext-20260424123427, =0.0.1-alpha.0, =0.1.0, =0.6.0 Source cves: CVE-2026-42565 Source advisory: SNYK:JS-WORKOSAUTHKITSESSION-16425670...

4.3CVSS5.7AI score0.00196EPSS
Exploits0
snyk
snyk
added 2026/05/05 6:42 p.m.8 views

Open Redirect

Overview @workos/authkit-session is a Framework-agnostic authentication library for WorkOS with pluggable storage adapters Affected versions of this package are vulnerable to Open Redirect via the handleCallback function when processing the returnPathname value derived from the OAuth state...

5.3CVSS5.8AI score0.00196EPSS
Exploits0References2
osv
osv
added 2026/05/05 6:42 p.m.15 views

GHSA-VVVV-983W-R7PV @workos/authkit-session has an Open Redirect via state-derived redirect target

An open redirect vulnerability exists in AuthService.handleCallback due to insufficient validation of the returnPathname value derived from the OAuth state parameter. The state parameter is round-tripped through the identity provider IdP and can be influenced by an attacker. The handleCallback...

4.3CVSS5.8AI score0.00196EPSS
Exploits0References5
redhatcve
redhatcve
added 2026/01/09 9:17 a.m.9 views

CVE-2025-23017

WorkOS Hosted AuthKit before 2025-01-07 allows a password authentication MFA bypass by enrolling a new authentication factor when the attacker knows the user's password. No exploitation occurred...

6CVSS7.3AI score0.00311EPSS
Exploits0References1
euvd
euvd
added 2025/10/03 8:7 p.m.52 views

EUVD-2025-24030

Malicious code in bioql PyPI...

7.1CVSS6.3AI score0.00364EPSS
Exploits0References6
euvd
euvd
added 2025/10/03 8:7 p.m.5 views

EUVD-2025-4298

Malicious code in bioql PyPI...

6CVSS6.6AI score0.00311EPSS
Exploits0References3
redhatcve
redhatcve
added 2025/08/11 2:30 a.m.16 views

CVE-2025-55008

The AuthKit library for React Router 7+ provides helpers for authentication and session management using WorkOS & AuthKit with React Router. In versions 0.6.1 and below, @workos-inc/authkit-react-router exposed sensitive authentication artifacts — specifically sealedSession and accessToken by...

7.1CVSS6.7AI score0.00364EPSS
Exploits0References1
redhatcve
redhatcve
added 2025/08/11 2:30 a.m.28 views

CVE-2025-55009

The AuthKit library for Remix provides convenient helpers for authentication and session management using WorkOS & AuthKit with Remix. In versions 0.14.1 and below, @workos-inc/authkit-remix exposed sensitive authentication artifacts — specifically sealedSession and accessToken — by returning the...

7.1CVSS6.9AI score0.00364EPSS
Exploits0References1
snyk
snyk
added 2025/08/09 2:41 a.m.5 views

Information Exposure

Overview @workos-inc/authkit-react-router is an Authentication and session helpers for using WorkOS & AuthKit with React Router 7+ Affected versions of this package are vulnerable to Information Exposure via the accessToken and sealedSession parameters in the authkitLoader function. An attacker c...

7.6CVSS6.9AI score0.00364EPSS
Exploits0References2
osv
osv
added 2025/08/09 2:2 a.m.8 views

CVE-2025-55008 AuthKit React Router: Sensitive auth data rendered in HTML

The AuthKit library for React Router 7+ provides helpers for authentication and session management using WorkOS & AuthKit with React Router. In versions 0.6.1 and below, @workos-inc/authkit-react-router exposed sensitive authentication artifacts — specifically sealedSession and accessToken by...

7.1CVSS6.6AI score0.00364EPSS
Exploits0References5
osv
osv
added 2025/08/09 2:2 a.m.28 views

CVE-2025-55009 AuthKit: Sensitive auth data rendered in HTML

The AuthKit library for Remix provides convenient helpers for authentication and session management using WorkOS & AuthKit with Remix. In versions 0.14.1 and below, @workos-inc/authkit-remix exposed sensitive authentication artifacts — specifically sealedSession and accessToken — by returning the...

7.1CVSS6.7AI score0.00364EPSS
Exploits0References5
redhatcve
redhatcve
added 2025/05/23 10:5 a.m.8 views

CVE-2024-29901

The AuthKit library for Next.js provides helpers for authentication and session management using WorkOS & AuthKit with Next.js. A user can reuse an expired session by controlling the x-workos-session header. The vulnerability is patched in v0.4.2...

8.1CVSS7.1AI score0.00659EPSS
Exploits0References1
nvd
nvd
added 2025/02/24 3:15 p.m.8 views

CVE-2025-23017

WorkOS Hosted AuthKit before 2025-01-07 allows a password authentication MFA bypass by enrolling a new authentication factor when the attacker knows the user's password. No exploitation occurred...

6CVSS0.00311EPSS
Exploits0References2
cvelist
cvelist
added 2025/02/24 12:0 a.m.15 views

CVE-2025-23017

WorkOS Hosted AuthKit before 2025-01-07 allows a password authentication MFA bypass by enrolling a new authentication factor when the attacker knows the user's password. No exploitation occurred...

6CVSS0.00311EPSS
Exploits0References2
ptsecurity
ptsecurity
added 2025/02/24 12:0 a.m.6 views

PT-2025-7718 · Workos · Workos Hosted Authkit

Name of the Vulnerable Software and Affected Versions: WorkOS Hosted AuthKit versions prior to 2025-01-07 Description: The issue allows a password authentication MFA bypass by enrolling a new authentication factor when the attacker knows the user's password. No exploitation occurred...

6CVSS7.6AI score0.00311EPSS
Exploits0References4
vulnrichment
vulnrichment
added 2025/02/24 12:0 a.m.6 views

CVE-2025-23017

WorkOS Hosted AuthKit before 2025-01-07 allows a password authentication MFA bypass by enrolling a new authentication factor when the attacker knows the user's password. No exploitation occurred...

6CVSS6.3AI score0.00311EPSS
Exploits0References2
cnnvd
cnnvd
added 2025/02/24 12:0 a.m.6 views

WorkOS Hosted AuthKit 安全漏洞

WorkOS Hosted AuthKit is a hosted, pre-built, customizable authentication UI from WorkOS. A security vulnerability exists in WorkOS Hosted AuthKit that stems from an attacker being able to bypass MFA authentication with knowledge of the user's password...

6CVSS6.9AI score0.00311EPSS
Exploits0References3
Rows per page
Query Builder