CVE-2024-51752 – The AuthKit library for Next.js logs refresh to... (How to Fix)

Q: What is the severity of CVE-2024-51752?

CVE-2024-51752 has a CVSS score of 5.5 (MEDIUM). The AuthKit library for Next.js logs refresh tokens to the console when the debug flag is enabled, potentially exposing sensitive authentication credentials. This affects users of AuthKit for Next.js versions before 0.13.2 who have enabled debug logging. Attackers with access to console logs could steal refresh tokens and potentially hijack user sessions.

📋 TL;DR

The AuthKit library for Next.js logs refresh tokens to the console when the debug flag is enabled, potentially exposing sensitive authentication credentials. This affects users of AuthKit for Next.js versions before 0.13.2 who have enabled debug logging. Attackers with access to console logs could steal refresh tokens and potentially hijack user sessions.

💻 Affected Systems

Products:

AuthKit library for Next.js

Versions: Versions before 0.13.2

Operating Systems: All

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when the debug flag is explicitly enabled. Default configuration is not vulnerable.

📦 What is this software?

Authkit Nextjs by Workos

View all CVEs affecting Authkit Nextjs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain access to console logs containing refresh tokens, allowing them to impersonate users, access sensitive data, and maintain persistent unauthorized access to applications.

🟠

Likely Case

Refresh tokens exposed in development or staging environments could be compromised if logs are not properly secured, leading to unauthorized access to those environments.

🟢

If Mitigated

With debug logging disabled (default configuration), no exposure occurs. Proper log security and access controls prevent token leakage even if debug is enabled.

🌐 Internet-Facing: MEDIUM - Internet-facing applications with debug enabled could expose tokens in accessible logs, but debug is disabled by default.

🏢 Internal Only: LOW - Internal applications with debug enabled could expose tokens, but requires attackers to already have internal access to view logs.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: NO

Unauthenticated Exploit: ✅ No

Complexity: LOW

Exploitation requires access to console logs where debug output is written. No special tools or techniques needed beyond log access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.13.2

Vendor Advisory: https://github.com/workos/authkit-nextjs/security/advisories/GHSA-5wmg-9cvh-qw25

Restart Required: Yes

Instructions:

1. Update package.json to use authkit-nextjs version 0.13.2 or later. 2. Run 'npm update @workos-inc/authkit-nextjs' or 'yarn upgrade @workos-inc/authkit-nextjs'. 3. Restart your Next.js application.

🔧 Temporary Workarounds

Disable debug logging

all

Ensure the debug flag is not enabled in AuthKit configuration

Check your AuthKit configuration and remove or set debug: false

🧯 If You Can't Patch

Ensure debug logging is disabled in all environments
Implement strict access controls and monitoring for application logs

🔍 How to Verify

Check if Vulnerable:

Check package.json for @workos-inc/authkit-nextjs version. If version is below 0.13.2 and debug logging is enabled, the system is vulnerable.

Check Version:

npm list @workos-inc/authkit-nextjs or check package.json

Verify Fix Applied:

Verify package.json shows version 0.13.2 or later and check that refresh tokens are no longer logged when debug is enabled.

📡 Detection & Monitoring

Log Indicators:

Refresh tokens appearing in console logs or application logs
Debug log entries containing authentication tokens

Network Indicators:

None - this is a local logging issue

SIEM Query:

Search for patterns matching refresh tokens in application logs: /refresh_token=[A-Za-z0-9._-]+/ or similar token patterns

📊 Metadata

CVE ID: CVE-2024-51752

CVSS v3 Score: 5.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-532

Published: November 5, 2024

Last Updated: December 11, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-51752, you might also want to check these: