Search

Find a vulnerability

Search criteria

    4 vulnerabilities found for authkit-remix by workos

    CVE-2025-55009 (GCVE-0-2025-55009)

    Vulnerability from nvd – Published: 2025-08-09 02:02 – Updated: 2025-08-11 14:35
    VLAI
    Title
    AuthKit: Sensitive auth data rendered in HTML
    Summary
    The AuthKit library for Remix provides convenient helpers for authentication and session management using WorkOS & AuthKit with Remix. In versions 0.14.1 and below, @workos-inc/authkit-remix exposed sensitive authentication artifacts — specifically sealedSession and accessToken — by returning them from the authkitLoader. This caused them to be rendered into the browser HTML.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    Impacted products
    Vendor Product Version
    workos authkit-remix Affected: < 0.15.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-55009",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-08-11T14:35:41.842990Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-08-11T14:35:52.345Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "authkit-remix",
              "vendor": "workos",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.15.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The AuthKit library for Remix provides convenient helpers for authentication and session management using WorkOS \u0026 AuthKit with Remix. In versions 0.14.1 and below, @workos-inc/authkit-remix exposed sensitive authentication artifacts \u2014 specifically sealedSession and accessToken \u2014 by returning them from the authkitLoader. This caused them to be rendered into the browser HTML."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-08-09T02:02:07.611Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/workos/authkit-remix/security/advisories/GHSA-v3gr-w9gf-23cx",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/workos/authkit-remix/security/advisories/GHSA-v3gr-w9gf-23cx"
            },
            {
              "name": "https://github.com/workos/authkit-remix/commit/20102afc74bf3dd5150a975a098067fb406b90b6",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/workos/authkit-remix/commit/20102afc74bf3dd5150a975a098067fb406b90b6"
            },
            {
              "name": "https://github.com/workos/authkit-remix/releases/tag/v0.15.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/workos/authkit-remix/releases/tag/v0.15.0"
            }
          ],
          "source": {
            "advisory": "GHSA-v3gr-w9gf-23cx",
            "discovery": "UNKNOWN"
          },
          "title": "AuthKit: Sensitive auth data rendered in HTML"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-55009",
        "datePublished": "2025-08-09T02:02:07.611Z",
        "dateReserved": "2025-08-04T17:34:24.422Z",
        "dateUpdated": "2025-08-11T14:35:52.345Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-51753 (GCVE-0-2024-51753)

    Vulnerability from nvd – Published: 2024-11-05 19:14 – Updated: 2024-11-05 20:16
    VLAI
    Title
    Refresh tokens are logged when the debug flag is enabled in @workos-inc/authkit-remix
    Summary
    The AuthKit library for Remix provides convenient helpers for authentication and session management using WorkOS & AuthKit with Remix. In affected versions refresh tokens are logged to the console when the disabled by default `debug` flag, is enabled. This issue has been patched in version 0.4.1. All users are advised to upgrade. There are no known workarounds for this vulnerability.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-532 - Insertion of Sensitive Information into Log File
    Assigner
    Impacted products
    Vendor Product Version
    workos authkit-remix Affected: < 0.4.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-51753",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-05T20:15:29.247219Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-05T20:16:29.928Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "authkit-remix",
              "vendor": "workos",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.4.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The AuthKit library for Remix provides convenient helpers for authentication and session management using WorkOS \u0026 AuthKit with Remix. In affected versions refresh tokens are logged to the console when the disabled by default `debug` flag, is enabled. This issue has been patched in version 0.4.1. All users are advised to upgrade. There are no known workarounds for this vulnerability."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "LOCAL",
                "baseScore": 2.1,
                "baseSeverity": "LOW",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-532",
                  "description": "CWE-532: Insertion of Sensitive Information into Log File",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-11-05T19:14:47.097Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/workos/authkit-remix/security/advisories/GHSA-v2qh-f584-6hj8",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/workos/authkit-remix/security/advisories/GHSA-v2qh-f584-6hj8"
            },
            {
              "name": "https://github.com/workos/authkit-remix/commit/32d5bcd54c795c1e2a3204f8e3977ab9ad57ec06",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/workos/authkit-remix/commit/32d5bcd54c795c1e2a3204f8e3977ab9ad57ec06"
            },
            {
              "name": "https://github.com/workos/authkit-remix/releases/tag/v0.4.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/workos/authkit-remix/releases/tag/v0.4.1"
            }
          ],
          "source": {
            "advisory": "GHSA-v2qh-f584-6hj8",
            "discovery": "UNKNOWN"
          },
          "title": "Refresh tokens are logged when the debug flag is enabled in @workos-inc/authkit-remix"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-51753",
        "datePublished": "2024-11-05T19:14:47.097Z",
        "dateReserved": "2024-10-31T14:12:45.791Z",
        "dateUpdated": "2024-11-05T20:16:29.928Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2025-55009 (GCVE-0-2025-55009)

    Vulnerability from cvelistv5 – Published: 2025-08-09 02:02 – Updated: 2025-08-11 14:35
    VLAI
    Title
    AuthKit: Sensitive auth data rendered in HTML
    Summary
    The AuthKit library for Remix provides convenient helpers for authentication and session management using WorkOS & AuthKit with Remix. In versions 0.14.1 and below, @workos-inc/authkit-remix exposed sensitive authentication artifacts — specifically sealedSession and accessToken — by returning them from the authkitLoader. This caused them to be rendered into the browser HTML.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-200 - Exposure of Sensitive Information to an Unauthorized Actor
    Assigner
    Impacted products
    Vendor Product Version
    workos authkit-remix Affected: < 0.15.0
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2025-55009",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2025-08-11T14:35:41.842990Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2025-08-11T14:35:52.345Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "authkit-remix",
              "vendor": "workos",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.15.0"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The AuthKit library for Remix provides convenient helpers for authentication and session management using WorkOS \u0026 AuthKit with Remix. In versions 0.14.1 and below, @workos-inc/authkit-remix exposed sensitive authentication artifacts \u2014 specifically sealedSession and accessToken \u2014 by returning them from the authkitLoader. This caused them to be rendered into the browser HTML."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "attackComplexity": "HIGH",
                "attackVector": "NETWORK",
                "availabilityImpact": "LOW",
                "baseScore": 7.1,
                "baseSeverity": "HIGH",
                "confidentialityImpact": "HIGH",
                "integrityImpact": "HIGH",
                "privilegesRequired": "LOW",
                "scope": "UNCHANGED",
                "userInteraction": "NONE",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2025-08-09T02:02:07.611Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/workos/authkit-remix/security/advisories/GHSA-v3gr-w9gf-23cx",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/workos/authkit-remix/security/advisories/GHSA-v3gr-w9gf-23cx"
            },
            {
              "name": "https://github.com/workos/authkit-remix/commit/20102afc74bf3dd5150a975a098067fb406b90b6",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/workos/authkit-remix/commit/20102afc74bf3dd5150a975a098067fb406b90b6"
            },
            {
              "name": "https://github.com/workos/authkit-remix/releases/tag/v0.15.0",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/workos/authkit-remix/releases/tag/v0.15.0"
            }
          ],
          "source": {
            "advisory": "GHSA-v3gr-w9gf-23cx",
            "discovery": "UNKNOWN"
          },
          "title": "AuthKit: Sensitive auth data rendered in HTML"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2025-55009",
        "datePublished": "2025-08-09T02:02:07.611Z",
        "dateReserved": "2025-08-04T17:34:24.422Z",
        "dateUpdated": "2025-08-11T14:35:52.345Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }

    CVE-2024-51753 (GCVE-0-2024-51753)

    Vulnerability from cvelistv5 – Published: 2024-11-05 19:14 – Updated: 2024-11-05 20:16
    VLAI
    Title
    Refresh tokens are logged when the debug flag is enabled in @workos-inc/authkit-remix
    Summary
    The AuthKit library for Remix provides convenient helpers for authentication and session management using WorkOS & AuthKit with Remix. In affected versions refresh tokens are logged to the console when the disabled by default `debug` flag, is enabled. This issue has been patched in version 0.4.1. All users are advised to upgrade. There are no known workarounds for this vulnerability.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-532 - Insertion of Sensitive Information into Log File
    Assigner
    Impacted products
    Vendor Product Version
    workos authkit-remix Affected: < 0.4.1
    Create a notification for this product.
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2024-51753",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2024-11-05T20:15:29.247219Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2024-11-05T20:16:29.928Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "product": "authkit-remix",
              "vendor": "workos",
              "versions": [
                {
                  "status": "affected",
                  "version": "\u003c 0.4.1"
                }
              ]
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The AuthKit library for Remix provides convenient helpers for authentication and session management using WorkOS \u0026 AuthKit with Remix. In affected versions refresh tokens are logged to the console when the disabled by default `debug` flag, is enabled. This issue has been patched in version 0.4.1. All users are advised to upgrade. There are no known workarounds for this vulnerability."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "attackComplexity": "LOW",
                "attackRequirements": "PRESENT",
                "attackVector": "LOCAL",
                "baseScore": 2.1,
                "baseSeverity": "LOW",
                "privilegesRequired": "NONE",
                "subAvailabilityImpact": "NONE",
                "subConfidentialityImpact": "NONE",
                "subIntegrityImpact": "NONE",
                "userInteraction": "NONE",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
                "version": "4.0",
                "vulnAvailabilityImpact": "NONE",
                "vulnConfidentialityImpact": "LOW",
                "vulnIntegrityImpact": "NONE"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-532",
                  "description": "CWE-532: Insertion of Sensitive Information into Log File",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2024-11-05T19:14:47.097Z",
            "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
            "shortName": "GitHub_M"
          },
          "references": [
            {
              "name": "https://github.com/workos/authkit-remix/security/advisories/GHSA-v2qh-f584-6hj8",
              "tags": [
                "x_refsource_CONFIRM"
              ],
              "url": "https://github.com/workos/authkit-remix/security/advisories/GHSA-v2qh-f584-6hj8"
            },
            {
              "name": "https://github.com/workos/authkit-remix/commit/32d5bcd54c795c1e2a3204f8e3977ab9ad57ec06",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/workos/authkit-remix/commit/32d5bcd54c795c1e2a3204f8e3977ab9ad57ec06"
            },
            {
              "name": "https://github.com/workos/authkit-remix/releases/tag/v0.4.1",
              "tags": [
                "x_refsource_MISC"
              ],
              "url": "https://github.com/workos/authkit-remix/releases/tag/v0.4.1"
            }
          ],
          "source": {
            "advisory": "GHSA-v2qh-f584-6hj8",
            "discovery": "UNKNOWN"
          },
          "title": "Refresh tokens are logged when the debug flag is enabled in @workos-inc/authkit-remix"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "assignerShortName": "GitHub_M",
        "cveId": "CVE-2024-51753",
        "datePublished": "2024-11-05T19:14:47.097Z",
        "dateReserved": "2024-10-31T14:12:45.791Z",
        "dateUpdated": "2024-11-05T20:16:29.928Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.1"
    }