CVE-2025-55009
The AuthKit Remix Library renders sensitive auth data in HTML
描述
### Summary Before `0.15.0`, `@workos-inc/authkit-remix` returned sensitive authentication artifacts from the `authkitLoader`, specifically `sealedSession` and `accessToken`. Because these values were returned from the loader, they were embedded into the server-rendered HTML and became readable by any script with access to the page’s DOM (e.g., in the presence of XSS or a malicious browser extension). * **Impact:** Exposure of these secrets can lead to session hijacking and unauthorized API access. * **Fix:** Version `0.15.0` changes the default behavior so the loader no longer returns `sealedSession`/`accessToken`. A secure server-side mechanism is provided to fetch an access token when needed. ### Patches Patched in [v0.15.0](https://github.com/workos/authkit-remix/releases/tag/v0.15.0).
如何修補 CVE-2025-55009
要修補 CVE-2025-55009,請將受影響套件升級到下列已修補版本。
- —升級至 0.15.0 或更新版本
CVE-2025-55009 正在被利用嗎?
低 — EPSS 為 0.1%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- from 0, < 0.15.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.1 | CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L |