Vulnerability Description
The AuthKit library for Next.js provides convenient helpers for authentication and session management using WorkOS & AuthKit with Next.js. In authkit-nextjs version 2.11.0 and below, authenticated responses do not defensively apply anti-caching headers. In environments where CDN caching is enabled, this can result in session tokens being included in cached responses and subsequently served to multiple users. Next.js applications deployed on Vercel are unaffected unless they manually enable CDN caching by setting cache headers on authenticated paths. Patched in authkit-nextjs 2.11.1, which applies anti-caching headers to all responses behind authentication.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Workos | Authkit-Nextjs | < 2.11.1 |
Related Weaknesses (CWE)
References
- https://github.com/workos/authkit-nextjs/commit/94cf438124993abb0e7c19dac64c3cb5Patch
- https://github.com/workos/authkit-nextjs/releases/tag/v2.11.1Release Notes
- https://github.com/workos/authkit-nextjs/security/advisories/GHSA-p8pf-44ff-93gfPatchThird Party Advisory
FAQ
What is CVE-2025-64762?
CVE-2025-64762 is a vulnerability with a CVSS score of 9.1 (CRITICAL). The AuthKit library for Next.js provides convenient helpers for authentication and session management using WorkOS & AuthKit with Next.js. In authkit-nextjs version 2.11.0 and below, authenticated res...
How severe is CVE-2025-64762?
CVE-2025-64762 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2025-64762?
Check the references section above for vendor advisories and patch information. Affected products include: Workos Authkit-Nextjs.