Login Sign Up

CVE-2025-64762

9.1 CRITICAL

📋 TL;DR

The AuthKit library for Next.js versions 2.11.0 and below fails to apply anti-caching headers to authenticated responses. This allows session tokens to be cached by CDNs and served to multiple users, potentially enabling session hijacking. Applications using authkit-nextjs with CDN caching enabled on authenticated paths are affected.

💻 Affected Systems

Products:
  • authkit-nextjs
Versions: 2.11.0 and below
Operating Systems: all
Default Config Vulnerable: ✅ No
Notes: Vercel deployments are unaffected unless CDN caching is manually enabled on authenticated paths.

📦 What is this software?

Authkit Nextjs by Workos

View all CVEs affecting Authkit Nextjs →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers can hijack authenticated user sessions, gaining unauthorized access to sensitive data and functionality, potentially leading to account takeover and data breaches.

🟠

Likely Case

Session tokens leak through CDN caching, allowing unauthorized users to access other users' authenticated sessions and data.

🟢

If Mitigated

With proper anti-caching headers, authenticated responses are not cached, preventing session token leakage.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires CDN caching to be enabled on authenticated paths and an attacker to access cached responses.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.11.1

Vendor Advisory: https://github.com/workos/authkit-nextjs/security/advisories/GHSA-p8pf-44ff-93gf

Restart Required: No

Instructions:

1. Update authkit-nextjs to version 2.11.1 or higher. 2. Run npm update authkit-nextjs or yarn upgrade authkit-nextjs. 3. Deploy the updated application.

🔧 Temporary Workarounds

Manually add anti-caching headers

all

Add anti-caching headers to authenticated responses in your Next.js application.

// In your Next.js API routes or middleware, add headers: Cache-Control: no-store, no-cache, must-revalidate, private

Disable CDN caching on authenticated paths

all

Configure your CDN or deployment platform to disable caching for authenticated routes.

🧯 If You Can't Patch

  • Disable CDN caching for all authenticated paths in your deployment configuration.
  • Implement additional session validation and monitoring to detect unauthorized access.

🔍 How to Verify

Check if Vulnerable:

Check your package.json for authkit-nextjs version 2.11.0 or below and verify if CDN caching is enabled on authenticated paths.

Check Version:

npm list authkit-nextjs

Verify Fix Applied:

Verify authkit-nextjs version is 2.11.1 or higher and test authenticated responses to confirm Cache-Control headers are present.

📡 Detection & Monitoring

Log Indicators:

  • Multiple users accessing the same session token
  • Unauthorized access attempts from unexpected IPs

Network Indicators:

  • Cache-Control headers missing from authenticated responses
  • CDN cache hits on authenticated paths

SIEM Query:

search for multiple user sessions with identical tokens or access from diverse IPs within short timeframes

📊 Metadata

CVE ID: CVE-2025-64762
CVSS v3 Score: 9.1 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE: CWE-524
EPSS Score: 0.1% exploit probability (26.8th percentile)
Published: November 21, 2025
Last Updated: December 11, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-64762, you might also want to check these:

CVE-2024-27917 7.5

This vulnerability in Shopware allows session fixation attacks where cached 404 pages inadvertently ...

Same vulnerability type (CWE-524)
CVE-2025-69202 6.5

Axios Cache Interceptor versions before 1.11.1 incorrectly cache responses without considering Autho...

Same vulnerability type (CWE-524)
CVE-2026-25540 6.5

Mastodon servers with AUTHORIZED_FETCH enabled are vulnerable to web cache poisoning where ActivityP...

Same vulnerability type (CWE-524)