Overview
CVE-2025-64762 identifies a security vulnerability in the AuthKit library for Next.js, specifically in versions 2.11.0 and below. This library provides helpers for authentication and session management when used with WorkOS and Next.js. The vulnerability arises from a failure to implement anti-caching headers in authenticated responses, potentially leading to session tokens being cached by CDNs and inadvertently served to multiple users.
Technical Details
The AuthKit library, prior to version 2.11.1, did not include necessary anti-caching headers (such as Cache-Control: no-cache, no-store, must-revalidate) in responses that contained authentication or session information. In environments employing CDN caching, this omission could result in these responses being cached. Consequently, subsequent requests from different users might be served the cached response, including the original user’s session token. Next.js applications deployed on Vercel are generally unaffected unless CDN caching is manually enabled by setting custom cache headers on authenticated paths.
CVSS Analysis
Currently, a CVSS score and severity level have not been assigned for CVE-2025-64762. However, given the potential for session hijacking, the severity is likely to be classified as at least “Medium,” and potentially “High,” depending on the scope of impact and exploitability. A future update may include an official CVSS score.
Possible Impact
The exploitation of this vulnerability can have significant security implications:
- Session Hijacking: An attacker could potentially gain unauthorized access to user accounts by receiving a cached response containing a valid session token.
- Data Breach: Depending on the application and the scope of the session, attackers might access sensitive user data or perform actions on behalf of the compromised user.
- Reputational Damage: A successful attack could severely damage the reputation of the affected application and organization.
Mitigation and Patch Steps
The vulnerability has been addressed in AuthKit version 2.11.1. The recommended mitigation is to upgrade to this version or a later release immediately. Version 2.11.1 applies anti-caching headers to all responses behind authentication.
- Upgrade AuthKit: Update the
authkit-nextjspackage in your Next.js project to version 2.11.1 or higher using your preferred package manager (npm, yarn, or pnpm). For example:npm install authkit-nextjs@latest - Verify Implementation: After upgrading, verify that anti-caching headers are correctly being applied to authenticated routes in your Next.js application. Use browser developer tools or a proxy to inspect the HTTP headers of responses from these routes.
- Review Caching Configuration: Double-check your CDN caching configuration to ensure that authenticated paths are not being inadvertently cached. If you’ve manually enabled caching on such routes, disable it or implement appropriate cache invalidation strategies.
References
- GitHub Commit: workos/authkit-nextjs
- Release Notes: workos/authkit-nextjs
- Security Advisory: workos/authkit-nextjs
