CVE-2025-55008 Overview
CVE-2025-55008 affects the @workos-inc/authkit-react-router library, which provides authentication and session management helpers for WorkOS and AuthKit on React Router 7+. Versions 0.6.1 and below return sensitive authentication artifacts — specifically sealedSession and accessToken — from the authkitLoader. React Router serializes loader return values into the page, causing these secrets to be rendered into the browser HTML where they are accessible to any client-side script or local observer. The issue is fixed in version 0.7.0. This is an information exposure flaw classified as [CWE-200].
Critical Impact
Session tokens and access tokens rendered in browser HTML can be harvested by malicious scripts, browser extensions, or anyone with access to the rendered page, enabling session hijacking and impersonation of authenticated users.
Affected Products
- @workos-inc/authkit-react-router versions 0.6.1 and below
- Applications using React Router 7+ with WorkOS AuthKit integration
- Server-side rendered React Router applications consuming authkitLoader
Discovery Timeline
- 2025-08-09 - CVE-2025-55008 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2025-55008
Vulnerability Analysis
The authkitLoader helper in @workos-inc/authkit-react-router returns an AuthorizedData object that includes the user's accessToken and sealedSession. React Router serializes loader return values and embeds them in the server-rendered HTML to hydrate the client. As a result, both secrets travel from the server to the browser inside the document body, where they remain visible in the DOM and accessible to any JavaScript executing in the page context.
The accessToken is a bearer credential used to authenticate API requests on behalf of the user. The sealedSession is the encrypted session payload normally intended to live only in an HTTP-only cookie. Exposing either value defeats the protections that HTTP-only and Secure cookie flags provide.
Root Cause
The root cause is an interface design flaw. The AuthorizedData and UnauthorizedData types declared accessToken and sealedSession as fields returned from the loader. Because React Router automatically serializes loader return values for client consumption, any field placed on these objects is exposed to the browser. The library did not separate server-only secrets from client-safe session metadata.
Attack Vector
An attacker with the ability to read the rendered HTML or execute JavaScript in the page can extract the tokens. Realistic vectors include cross-site scripting in any third-party dependency, malicious browser extensions, shared workstations, server logs that capture full HTML responses, and HTML caching layers. The exposed accessToken can be replayed against the WorkOS API, and the sealedSession can be used to resume the user's authenticated session.
// Patch from src/interfaces.ts - removed fields
export interface AuthorizedData {
user: User;
sessionId: string;
- accessToken: string;
organizationId: string | null;
role: string | null;
permissions: string[];
entitlements: string[];
featureFlags: string[];
impersonator: Impersonator | null;
- sealedSession: string;
}
export interface UnauthorizedData {
user: null;
sessionId: null;
- accessToken: null;
organizationId: null;
role: null;
permissions: null;
entitlements: null;
featureFlags: null;
impersonator: null;
- sealedSession: null;
}
Source: GitHub Commit 607caac
The fix removes the secret fields from the loader's serialized payload and introduces a server-side getAccessToken() accessor instead:
// Patch from src/session.ts - accessor replaces direct field
type AuthLoader<Data> = (
- args: LoaderFunctionArgs & { auth: AuthorizedData | UnauthorizedData },
+ args: LoaderFunctionArgs & { auth: AuthorizedData | UnauthorizedData; getAccessToken: () => string | null },
) => LoaderReturnValue<Data>;
-type AuthorizedAuthLoader<Data> = (args: LoaderFunctionArgs & { auth: AuthorizedData }) => LoaderReturnValue<Data>;
+type AuthorizedAuthLoader<Data> = (
+ args: LoaderFunctionArgs & { auth: AuthorizedData; getAccessToken: () => string },
+) => LoaderReturnValue<Data>;
Source: GitHub Commit 607caac
Detection Methods for CVE-2025-55008
Indicators of Compromise
- Presence of accessToken or sealedSession strings inside server-rendered HTML responses or hydration payloads such as __remixContext or window.__staticRouterHydrationData.
- Authentication API calls originating from IP addresses or user agents that do not match the legitimate session owner.
- WorkOS access token usage outside of expected client domains or refresh patterns.
Detection Strategies
- Inspect production HTML output for any occurrence of accessToken or sealedSession keys in the serialized loader data.
- Run dependency inventory queries to identify projects with @workos-inc/authkit-react-router at version 0.6.1 or earlier in package.json and lockfiles.
- Add an automated CI check that fails the build when the rendered HTML for authenticated routes contains a JWT-shaped pattern matching the access token format.
Monitoring Recommendations
- Monitor WorkOS audit logs for token reuse from unexpected geolocations or concurrent sessions tied to the same user.
- Alert on anomalous spikes in /authkit or session refresh endpoint traffic that may indicate replayed sealedSession values.
- Review web server and CDN logs for cached HTML pages of authenticated routes that may persist exposed tokens.
How to Mitigate CVE-2025-55008
Immediate Actions Required
- Upgrade @workos-inc/authkit-react-router to version 0.7.0 or later in all projects.
- Rotate the WorkOS session signing keys so that any previously exposed sealedSession values are invalidated.
- Revoke active access tokens and force re-authentication for users who logged in while a vulnerable version was deployed.
- Audit any caches, logs, or analytics pipelines that may have captured rendered HTML containing the exposed secrets.
Patch Information
The fix is available in @workos-inc/authkit-react-router v0.7.0. The patch removes accessToken and sealedSession from the AuthorizedData and UnauthorizedData interfaces and introduces a server-side getAccessToken() callback that is never serialized to the client. See the GitHub Release v0.7.0 and the GitHub Security Advisory GHSA-vqvc-9q8x-vmq6 for full details.
Workarounds
- If upgrading immediately is not possible, wrap authkitLoader with a custom loader that strips accessToken and sealedSession from the return value before it reaches the client.
- Move all access-token-dependent logic to server-side actions and loaders, and never reference these fields in client components.
- Apply strict Content Security Policy (CSP) headers to reduce the risk of third-party script injection harvesting the exposed values.
# Upgrade to the patched version
npm install @workos-inc/authkit-react-router@^0.7.0
# Verify the installed version
npm ls @workos-inc/authkit-react-router
# Audit for residual occurrences in lockfiles
grep -R "authkit-react-router" package-lock.json yarn.lock pnpm-lock.yaml
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
