AuthKit Library for Next.js Patches Session Reuse Vulnerability
CVE-2024-29901

8.1HIGH

Key Information:

Vendor

Workos

Status
Authkit-nextjs
Vendor
CVE Published:
29 March 2024

What is CVE-2024-29901?

The AuthKit library for Next.js contains a vulnerability that enables a user to reuse an expired session by manipulating the x-workos-session header. This flaw can compromise session integrity, potentially allowing unauthorized access to user sessions. The issue has been addressed in version 0.4.2, which patches this vulnerability. It is crucial for users of AuthKit to update to the latest version to secure their applications against this exploitation.

Affected Version(s)

authkit-nextjs < 0.4.2

References

https://github.com/workos/authkit-nextjs/security/advisor...
x_refsource_CONFIRM
https://github.com/workos/authkit-nextjs/commit/6c3f4f317...
x_refsource_MISC
https://github.com/workos/authkit-nextjs/releases/tag/v0.4.2
x_refsource_MISC

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.