CVE-2025-55008: The AuthKit React Router Library rendered sensitive auth data in HTML
(updated )
In versions before 0.7.0, @workos-inc/authkit-react-router exposed sensitive authentication artifacts — specifically sealedSession and accessToken by returning them from the authkitLoader. This caused them to be rendered into the browser HTML.
References
- github.com/advisories/GHSA-vqvc-9q8x-vmq6
- github.com/workos/authkit-react-router
- github.com/workos/authkit-react-router/commit/607caac658784962bab76e227f9c5820d0b9a9e5
- github.com/workos/authkit-react-router/releases/tag/v0.7.0
- github.com/workos/authkit-react-router/security/advisories/GHSA-vqvc-9q8x-vmq6
- nvd.nist.gov/vuln/detail/CVE-2025-55008
Code Behaviors & Features
Detect and mitigate CVE-2025-55008 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →