PT-2025-47657 · Unknown+1 · Authkit-Nextjs+1

Published

2025-11-20

Updated

2025-12-11

CVE-2025-64762

CVSS v3.1

9.4

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Name of the Vulnerable Software and Affected Versions AuthKit-nextjs versions 2.11.0 and below

Description The AuthKit library for Next.js, used for authentication and session management, does not apply anti-caching headers to authenticated responses in versions 2.11.0 and below. This can lead to session tokens being included in cached responses and served to multiple users when CDN caching is enabled. Next.js applications deployed on Vercel are not affected unless CDN caching is manually enabled through cache headers on authenticated paths.

Recommendations Update to AuthKit-nextjs version 2.11.1, which includes anti-caching headers for all responses behind authentication.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-524

Related Identifiers

BDU:2025-14673

CVE-2025-64762

GHSA-P8PF-44FF-93GF

Affected Products

Authkit-Nextjs

Next.Js

PT-2025-47657 · Unknown+1 · Authkit-Nextjs+1

CVE-2025-64762

Weakness Enumeration

Related Identifiers

Affected Products

References · 16