CVE-2025-55008

Name of the Vulnerable Software and Affected Versions @workos-inc/authkit-react-router versions 0.6.1 and below

Description The AuthKit library for React Router exposes sensitive authentication artifacts – specifically sealedSession and accessToken – by returning them from the authkitLoader, causing them to be rendered into the browser HTML. This information disclosure could lead to session hijacking in environments where cross-site scripting (XSS), malicious browser extensions, or local inspection is possible.

Recommendations Update to version 0.7.0 or later. In patched versions, sealedSession and accessToken are no longer returned by default from the authkitLoader. A secure server-side mechanism is provided to fetch an access token as needed.