CVE-2025-55008
BaseFortify
Publication date: 2025-08-09
Last updated on: 2025-08-11
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| workos-inc | authkit-react-router | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
Upgrade the AuthKit library for React Router to version 0.7.0 or later, as this version fixes the issue of sensitive authentication artifacts being exposed in the browser HTML.
Can you explain this vulnerability to me?
The vulnerability in the AuthKit library for React Router versions 0.6.1 and below involves the exposure of sensitive authentication artifacts, specifically sealedSession and accessToken. These were returned from the authkitLoader and rendered into the browser HTML, potentially allowing unauthorized access to authentication data. This issue was fixed in version 0.7.0.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of sensitive authentication tokens (sealedSession and accessToken) by exposing them in the browser HTML. An attacker could potentially use these tokens to impersonate users, gain unauthorized access to protected resources, or hijack user sessions, resulting in compromised security and privacy.