CVE-2025-55009

The AuthKit library for Remix provides convenient helpers for authentication and session management using WorkOS & AuthKit with Remix. In versions 0.14.1 and below, @workos-inc/authkit-remix exposed sensitive authentication artifacts  specifically sealedSession and accessToken  by returning them from the authkitLoader. This caused them to be rendered into the browser HTML.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.1 HIGH
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
GitHub_MCNA
7.1 HIGH
NETWORK
HIGH
LOW
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L
Awaiting analysis
This vulnerability is currently awaiting analysis.
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Common Weakness Enumeration
References
https://github.com/workos/authkit-remix/commit/20102afc74bf3dd5150a975a098067fb406b90b6
https://github.com/workos/authkit-remix/releases/tag/v0.15.0
https://github.com/workos/authkit-remix/security/advisories/GHSA-v3gr-w9gf-23cx