Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-64762

CVE-2025-64762: WorkOS AuthKit-NextJS Auth Bypass Flaw

CVE-2025-64762 is an authentication bypass vulnerability in WorkOS AuthKit-NextJS that allows session tokens to be cached and served to multiple users. This article covers technical details, affected versions, and patches.

Published:

CVE-2025-64762 Overview

CVE-2025-64762 is a session token exposure vulnerability in the AuthKit library for Next.js, which provides authentication and session management helpers using WorkOS & AuthKit. In authkit-nextjs version 2.11.0 and below, authenticated responses do not defensively apply anti-caching headers, allowing session tokens to be included in cached responses when CDN caching is enabled. This can result in session tokens being served to multiple users, potentially enabling session hijacking and unauthorized access.

Critical Impact

Session tokens may be cached by CDNs and served to unauthorized users, leading to authentication bypass and potential account compromise across multiple users.

Affected Products

  • WorkOS authkit-nextjs versions 2.11.0 and earlier
  • Next.js applications with manually enabled CDN caching on authenticated paths
  • Applications NOT deployed on Vercel (Vercel deployments unaffected unless caching manually enabled)

Discovery Timeline

  • 2025-11-21 - CVE CVE-2025-64762 published to NVD
  • 2025-12-11 - Last updated in NVD database

Technical Details for CVE-2025-64762

Vulnerability Analysis

This vulnerability stems from missing cache control headers in authenticated responses within the AuthKit library. When a Next.js application uses AuthKit for session management and has CDN caching enabled, the library fails to set appropriate anti-caching headers (such as Cache-Control: no-store and Vary: Cookie) on responses that contain session tokens. As a result, CDN edge servers may cache these authenticated responses and subsequently serve them to different users, exposing session tokens across user boundaries.

The attack requires a specific deployment configuration where CDN caching is enabled on authenticated paths. Applications deployed on Vercel are unaffected by default, as Vercel does not cache responses unless developers explicitly configure caching headers on authenticated routes.

Root Cause

The root cause is the absence of defensive anti-caching headers in the authentication response handling code. The library did not include the Vary: Cookie header or cache prevention headers (like Cache-Control: no-store, no-cache, must-revalidate) on responses generated by authenticated routes. This oversight allows intermediate caching layers to store and replay responses containing sensitive session data.

Attack Vector

An attacker can exploit this vulnerability through network-based attacks in environments where CDN caching is enabled:

  1. The attacker makes an authenticated request to a vulnerable application
  2. The CDN caches the response containing the victim's session token
  3. Subsequent requests from other users receive the cached response with the victim's session token
  4. The attacker can then hijack the victim's session and gain unauthorized access

The patch introduces a preventCaching() function that explicitly sets the Vary: Cookie header and applies cache prevention headers to all authenticated responses:

typescript
import { WORKOS_CLIENT_ID } from './env-variables.js';
import { HandleAuthOptions } from './interfaces.js';
import { saveSession } from './session.js';
-import { errorResponseWithFallback, redirectWithFallback } from './utils.js';
+import { errorResponseWithFallback, redirectWithFallback, setCachePreventionHeaders } from './utils.js';
import { getWorkOS } from './workos.js';

+function preventCaching(headers: Headers): void {
+  headers.set('Vary', 'Cookie');
+  setCachePreventionHeaders(headers);
+}

function handleState(state: string | null) {
  let returnPathname: string | undefined = undefined;
  let userState: string | undefined;

Source: GitHub Commit Update

Detection Methods for CVE-2025-64762

Indicators of Compromise

  • Unusual session activity where users report seeing other users' data or sessions
  • CDN cache hit logs showing cached responses for authenticated endpoints
  • Multiple users accessing accounts simultaneously from different geographic locations
  • Application logs indicating session token reuse across different IP addresses

Detection Strategies

  • Review CDN access logs for cached responses on authentication-related paths (e.g., /api/auth/*, callback routes)
  • Monitor for anomalous authentication patterns where session tokens appear to be shared
  • Audit HTTP response headers on authenticated routes for missing Cache-Control and Vary headers
  • Implement session fingerprinting to detect sessions being used from multiple devices or locations

Monitoring Recommendations

  • Enable detailed logging for authentication events and session creation/validation
  • Configure CDN monitoring to alert on cached responses containing authentication cookies
  • Implement real-time alerting for session anomalies such as concurrent access from disparate locations
  • Regularly audit cache configurations on authenticated application paths

How to Mitigate CVE-2025-64762

Immediate Actions Required

  • Upgrade authkit-nextjs to version 2.11.1 or later immediately
  • Invalidate all CDN caches for authenticated paths to remove potentially cached session tokens
  • Force re-authentication for all active user sessions as a precautionary measure
  • Review CDN caching configurations and disable caching on authentication-related endpoints

Patch Information

WorkOS has released version 2.11.1 of authkit-nextjs which applies anti-caching headers to all responses behind authentication. The patch introduces the setCachePreventionHeaders() utility function and a preventCaching() helper that sets both the Vary: Cookie header and standard cache prevention headers.

For detailed patch information, see the GitHub Security Advisory GHSA-p8pf-44ff-93gf and the GitHub Release v2.11.1.

Workarounds

  • Manually add anti-caching headers to authenticated routes using Next.js middleware or route handlers
  • Disable CDN caching entirely on all authenticated paths until the upgrade can be completed
  • Configure CDN rules to bypass caching for requests containing authentication cookies
  • Implement a reverse proxy rule to inject cache prevention headers for authenticated endpoints
bash
# Configuration example - Add to your CDN or middleware
# Ensure these headers are set on all authenticated responses:
Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate
Pragma: no-cache
Expires: 0
Vary: Cookie

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.