CVE-2025-64762

216.73.216.233

· Published 21/11/2025 02:15 · Modified 11/12/2025 17:45

Labels: CVE-2025-64762 2025-11-21 CVE-2025-64762 CWE-524 [email protected]

Essential information

Published: 21/11/2025 02:15
Modified: 11/12/2025 17:45
Author: —
Creator: —
CVSS: 8.0 HIGH (v3) 8.0 HIGH (v4.0)
CISA KEV: No
CWE: —
CVSS vector: —

CVSS metrics

Description

The AuthKit library for Next.js provides convenient helpers for authentication and session management using WorkOS & AuthKit with Next.js. In authkit-nextjs version 2.11.0 and below, authenticated responses do not defensively apply anti-caching headers. In environments where CDN caching is enabled, this can result in session tokens being included in cached responses and subsequently served to multiple users. Next.js applications deployed on Vercel are unaffected unless they manually enable CDN caching by setting cache headers on authenticated paths. Patched in authkit-nextjs 2.11.1, which applies anti-caching headers to all responses behind authentication.

NVD status

Status: Analyzed — CVE has had analysis completed and all data associations made.
Source: [email protected]
NVD: View on NVD

Affected products (CPE)

Product	CPE
workos / authkit-nextjs	`cpe:2.3:a:workos:authkit-nextjs::::::node.js::*`