CVE-2025-55009

Description

### Summary Before `0.15.0`, `@workos-inc/authkit-remix` returned sensitive authentication artifacts from the `authkitLoader`, specifically `sealedSession` and `accessToken`. Because these values were returned from the loader, they were embedded into the server-rendered HTML and became readable by any script with access to the page’s DOM (e.g., in the presence of XSS or a malicious browser extension). * **Impact:** Exposure of these secrets can lead to session hijacking and unauthorized API access. * **Fix:** Version `0.15.0` changes the default behavior so the loader no longer returns `sealedSession`/`accessToken`. A secure server-side mechanism is provided to fetch an access token when needed. ### Patches Patched in [v0.15.0](https://github.com/workos/authkit-remix/releases/tag/v0.15.0).

How to fix CVE-2025-55009

To remediate CVE-2025-55009, upgrade the affected package to a fixed version below.

• —upgrade to 0.15.0 or later

Is CVE-2025-55009 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 0.15.0

CVSS scores

References (7)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2025-55009
• PATCHgithub.com/workos/authkit-remix
• WEBgithub.com/workos/authkit-remix/commit/20102afc74bf3dd5150a975a098067fb406b90b6
• WEBgithub.com/workos/authkit-remix/releases/tag/v0.15.0