CVE-2025-64762
CRITICALAuthKit library for Next.js <2.11.0 - Info Disclosure
Title source: llmDescription
The AuthKit library for Next.js provides convenient helpers for authentication and session management using WorkOS & AuthKit with Next.js. In authkit-nextjs version 2.11.0 and below, authenticated responses do not defensively apply anti-caching headers. In environments where CDN caching is enabled, this can result in session tokens being included in cached responses and subsequently served to multiple users. Next.js applications deployed on Vercel are unaffected unless they manually enable CDN caching by setting cache headers on authenticated paths. Patched in authkit-nextjs 2.11.1, which applies anti-caching headers to all responses behind authentication.
References (3)
Core 3
Core References
Patch, Third Party Advisory x_refsource_confirm
https://github.com/workos/authkit-nextjs/security/advisories/GHSA-p8pf-44ff-93gf
Patch x_refsource_misc
https://github.com/workos/authkit-nextjs/commit/94cf438124993abb0e7c19dac64c3cb5724a15ea
Release Notes x_refsource_misc
https://github.com/workos/authkit-nextjs/releases/tag/v2.11.1
Scores
CVSS v3
9.1
EPSS
0.0008
EPSS Percentile
23.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
total
Details
CWE
CWE-524
Status
published
Products (2)
workos/authkit-nextjs
< 2.11.1
workos-inc/authkit-nextjs
0 - 2.11.1npm
Published
Nov 21, 2025
Tracked Since
Feb 18, 2026