Sensitive Authentication Artifacts Exposure in React Router Product by WorkOS
CVE-2025-55008

7.1HIGH

Key Information:

Vendor: Workos
Status: Authkit-react-router
Vendor: CVE Published:; 9 August 2025

What is CVE-2025-55008?

The AuthKit library for React Router versions 0.6.1 and earlier contains a vulnerability where sensitive authentication artifacts, such as sealedSession and accessToken, are exposed through the authkitLoader. This flaw allows these sensitive elements to be rendered directly into the browser's HTML, which could lead to unauthorized access if exploited. The issue has been addressed in version 0.7.0, which implements necessary safeguards to prevent such leaks.

Affected Version(s)

authkit-react-router < 0.7.0

References

https://github.com/workos/authkit-react-router/security/a...

x_refsource_CONFIRM

https://github.com/workos/authkit-react-router/commit/607...

x_refsource_MISC

https://github.com/workos/authkit-react-router/releases/t...

x_refsource_MISC

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 9, 2025
Vulnerability Reserved
Aug 4, 2025

Workos

What is CVE-2025-55008?

Affected Version(s)

References

CVSS V3.1

Timeline