CVE-2025-55008
📋 TL;DR
The AuthKit library for React Router 7+ versions 0.6.1 and below exposes sensitive authentication artifacts (sealedSession and accessToken) by returning them from the authkitLoader, causing them to be rendered into browser HTML. This allows attackers to potentially steal authentication tokens and hijack user sessions. Anyone using @workos-inc/authkit-react-router version 0.6.1 or earlier is affected.
💻 Affected Systems
- @workos-inc/authkit-react-router
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers steal authentication tokens and gain unauthorized access to user accounts, potentially compromising sensitive data and performing privileged actions.
Likely Case
Session hijacking leading to unauthorized access to user accounts and potential data exposure.
If Mitigated
Limited impact if proper network segmentation and monitoring are in place, but authentication tokens remain exposed.
🎯 Exploit Status
Exploitation requires viewing page source or using browser developer tools to extract exposed tokens.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.7.0
Vendor Advisory: https://github.com/workos/authkit-react-router/security/advisories/GHSA-vqvc-9q8x-vmq6
Restart Required: Yes
Instructions:
1. Update package.json to use @workos-inc/authkit-react-router version 0.7.0 or higher. 2. Run npm update or yarn upgrade. 3. Restart your application server. 4. Test authentication flows.
🔧 Temporary Workarounds
Manual token removal
allManually modify code to prevent authkitLoader from returning sensitive tokens
Review and modify authkitLoader implementation to exclude sealedSession and accessToken from return values
🧯 If You Can't Patch
- Implement Content Security Policy (CSP) headers to restrict script execution
- Add monitoring for unusual authentication patterns and token usage
🔍 How to Verify
Check if Vulnerable:
Check if @workos-inc/authkit-react-router version is 0.6.1 or below in package.json, or inspect browser HTML for exposed sealedSession and accessToken values.Check Version:
npm list @workos-inc/authkit-react-routerVerify Fix Applied:
Confirm package.json uses version 0.7.0+, verify tokens are no longer visible in browser HTML source.📡 Detection & Monitoring
Log Indicators:
- Multiple failed authentication attempts from same IP
- Unusual session creation patterns
Network Indicators:
- Unexpected requests with authentication tokens
- Traffic patterns suggesting token harvesting
SIEM Query:
source="application_logs" AND ("sealedSession" OR "accessToken") AND status="200"