CVE-2026-42565

Name of the Vulnerable Software and Affected Versions @workos/authkit-session versions prior to 0.5.1

Description An open redirect issue exists in the handleCallback() function of AuthService due to insufficient validation of the returnPathname value derived from the OAuth state parameter. The state parameter is round-tripped through the identity provider (IdP) and can be influenced by an attacker. The handleCallback() function decodes and returns returnPathname without enforcing restrictions on origin or scheme, allowing attacker-controlled values to be returned to the application. If this value is used directly in a redirect, users may be sent to an external, attacker-controlled site, which can facilitate phishing or social engineering attacks by leveraging the trust of the originating domain.

Recommendations Update to version 0.5.1.