CVE-2025-64762 Overview
CVE-2025-64762 is a session token exposure vulnerability in the AuthKit library for Next.js, which provides authentication and session management helpers using WorkOS & AuthKit. In authkit-nextjs version 2.11.0 and below, authenticated responses do not defensively apply anti-caching headers, allowing session tokens to be included in cached responses when CDN caching is enabled. This can result in session tokens being served to multiple users, potentially enabling session hijacking and unauthorized access.
Critical Impact
Session tokens may be cached by CDNs and served to unauthorized users, leading to authentication bypass and potential account compromise across multiple users.
Affected Products
- WorkOS authkit-nextjs versions 2.11.0 and earlier
- Next.js applications with manually enabled CDN caching on authenticated paths
- Applications NOT deployed on Vercel (Vercel deployments unaffected unless caching manually enabled)
Discovery Timeline
- 2025-11-21 - CVE CVE-2025-64762 published to NVD
- 2025-12-11 - Last updated in NVD database
Technical Details for CVE-2025-64762
Vulnerability Analysis
This vulnerability stems from missing cache control headers in authenticated responses within the AuthKit library. When a Next.js application uses AuthKit for session management and has CDN caching enabled, the library fails to set appropriate anti-caching headers (such as Cache-Control: no-store and Vary: Cookie) on responses that contain session tokens. As a result, CDN edge servers may cache these authenticated responses and subsequently serve them to different users, exposing session tokens across user boundaries.
The attack requires a specific deployment configuration where CDN caching is enabled on authenticated paths. Applications deployed on Vercel are unaffected by default, as Vercel does not cache responses unless developers explicitly configure caching headers on authenticated routes.
Root Cause
The root cause is the absence of defensive anti-caching headers in the authentication response handling code. The library did not include the Vary: Cookie header or cache prevention headers (like Cache-Control: no-store, no-cache, must-revalidate) on responses generated by authenticated routes. This oversight allows intermediate caching layers to store and replay responses containing sensitive session data.
Attack Vector
An attacker can exploit this vulnerability through network-based attacks in environments where CDN caching is enabled:
- The attacker makes an authenticated request to a vulnerable application
- The CDN caches the response containing the victim's session token
- Subsequent requests from other users receive the cached response with the victim's session token
- The attacker can then hijack the victim's session and gain unauthorized access
The patch introduces a preventCaching() function that explicitly sets the Vary: Cookie header and applies cache prevention headers to all authenticated responses:
import { WORKOS_CLIENT_ID } from './env-variables.js';
import { HandleAuthOptions } from './interfaces.js';
import { saveSession } from './session.js';
-import { errorResponseWithFallback, redirectWithFallback } from './utils.js';
+import { errorResponseWithFallback, redirectWithFallback, setCachePreventionHeaders } from './utils.js';
import { getWorkOS } from './workos.js';
+function preventCaching(headers: Headers): void {
+ headers.set('Vary', 'Cookie');
+ setCachePreventionHeaders(headers);
+}
function handleState(state: string | null) {
let returnPathname: string | undefined = undefined;
let userState: string | undefined;
Source: GitHub Commit Update
Detection Methods for CVE-2025-64762
Indicators of Compromise
- Unusual session activity where users report seeing other users' data or sessions
- CDN cache hit logs showing cached responses for authenticated endpoints
- Multiple users accessing accounts simultaneously from different geographic locations
- Application logs indicating session token reuse across different IP addresses
Detection Strategies
- Review CDN access logs for cached responses on authentication-related paths (e.g., /api/auth/*, callback routes)
- Monitor for anomalous authentication patterns where session tokens appear to be shared
- Audit HTTP response headers on authenticated routes for missing Cache-Control and Vary headers
- Implement session fingerprinting to detect sessions being used from multiple devices or locations
Monitoring Recommendations
- Enable detailed logging for authentication events and session creation/validation
- Configure CDN monitoring to alert on cached responses containing authentication cookies
- Implement real-time alerting for session anomalies such as concurrent access from disparate locations
- Regularly audit cache configurations on authenticated application paths
How to Mitigate CVE-2025-64762
Immediate Actions Required
- Upgrade authkit-nextjs to version 2.11.1 or later immediately
- Invalidate all CDN caches for authenticated paths to remove potentially cached session tokens
- Force re-authentication for all active user sessions as a precautionary measure
- Review CDN caching configurations and disable caching on authentication-related endpoints
Patch Information
WorkOS has released version 2.11.1 of authkit-nextjs which applies anti-caching headers to all responses behind authentication. The patch introduces the setCachePreventionHeaders() utility function and a preventCaching() helper that sets both the Vary: Cookie header and standard cache prevention headers.
For detailed patch information, see the GitHub Security Advisory GHSA-p8pf-44ff-93gf and the GitHub Release v2.11.1.
Workarounds
- Manually add anti-caching headers to authenticated routes using Next.js middleware or route handlers
- Disable CDN caching entirely on all authenticated paths until the upgrade can be completed
- Configure CDN rules to bypass caching for requests containing authentication cookies
- Implement a reverse proxy rule to inject cache prevention headers for authenticated endpoints
# Configuration example - Add to your CDN or middleware
# Ensure these headers are set on all authenticated responses:
Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate
Pragma: no-cache
Expires: 0
Vary: Cookie
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
