Authentication and Session Management Vulnerability in AuthKit for Next.js
CVE-2025-64762

8HIGH

Key Information:

Vendor

Workos

Status
Authkit-nextjs
Vendor
CVE Published:
21 November 2025

What is CVE-2025-64762?

The AuthKit library, utilized for authentication and session management in Next.js applications, suffers from a significant vulnerability in versions prior to 2.11.1. This vulnerability allows session tokens to inadvertently be cached in environments leveraging CDN caching. As a result, these tokens could be served to unauthorized users, leading to potential session hijacking and exposure of sensitive user data. Applications deployed on Vercel remain unaffected unless CDN caching is manually enabled by setting cache headers on authenticated routes. The vulnerability has been resolved in version 2.11.1, which implements necessary anti-caching headers for all authenticated responses.

Affected Version(s)

authkit-nextjs < 2.11.1

References

https://github.com/workos/authkit-nextjs/security/advisor...
x_refsource_CONFIRM
https://github.com/workos/authkit-nextjs/commit/94cf43812...
x_refsource_MISC
https://github.com/workos/authkit-nextjs/releases/tag/v2....
x_refsource_MISC

CVSS V4

Score:
8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-64762 : Authentication and Session Management Vulnerability in AuthKit for Next.js