Marji-Workos

**Name of the Vulnerable Software and Affected Versions** @workos-inc/authkit-react-router versions 0.6.1 and below **Description** The AuthKit library for React Router exposes sensitive authentication artifacts – specifically `sealedSession` and `accessToken` – by returning them from the `authkitLoader`, causing them to be rendered into the browser HTML. This information disclosure could lead to session hijacking in environments where cross-site scripting (XSS), malicious browser extensions, or local inspection is possible. **Recommendations** Update to version 0.7.0 or later. In patched versions, `sealedSession` and `accessToken` are no longer returned by default from the `authkitLoader`. A secure server-side mechanism is provided to fetch an access token as needed.

**Name of the Vulnerable Software and Affected Versions** AuthKit library for Remix versions prior to 0.4.1 **Description** The issue concerns the logging of refresh tokens to the console when the `debug` flag is enabled. This flag is disabled by default. There are no known workarounds for this issue. All users are advised to upgrade to a patched version. **Recommendations** For versions prior to 0.4.1, upgrade to version 0.4.1 to resolve the issue. As a temporary workaround, consider disabling the `debug` flag until the upgrade is applied.