Miggo Logo
Miggo Vulnerability Database
CVE-2024-51752

CVE-2024-51752: @workos-inc/authkit-nextjs refresh tokens are logged when the debug flag is enabled

2.1

CVSS Score
4.0

Basic Information

CVE ID
CVE-2024-51752
GHSA ID
GHSA-5wmg-9cvh-qw25
EPSS Score
0.13177%
CWE
CWE-532
Published
11/5/2024
Updated
11/5/2024
KEV Status
No
Technology
TechnologyJavaScript

Technical Details

CVSS Vector
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Package NameEcosystemVulnerable VersionsFirst Patched Version
@workos-inc/authkit-nextjsnpm< 0.13.20.13.2

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The commit diff shows two critical changes in src/session.ts where refresh token logging was removed. The original code contained 'console.log('Session invalid. Attempting refresh', session.refreshToken)' and 'console.log('Refresh successful:', refreshToken)', both guarded by a debug flag check. These statements exposed sensitive credentials in logs. The patched version replaces them with partial access token logging, confirming these were the vulnerable points. No other functions/files in the diff showed security-sensitive logging patterns.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

### Imp**t R**r*s* tok*ns *r* lo**** to t** *onsol* w**n t** *is**l** *y ****ult `***u*` *l**, is *n**l**. ### P*t***s P*t**** in [*ttps://*it*u*.*om/workos/*ut*kit-n*xtjs/r*l**s*s/t**/v*.**.*](*ttps://*it*u*.*om/workos/*ut*kit-n*xtjs/r*l**s*s/t**/v

Reasoning

T** *ommit *i** s*ows two *riti**l ***n**s in `sr*/s*ssion.ts` w**r* r**r*s* tok*n lo**in* w*s r*mov**. T** ori*in*l *o** *ont*in** '*onsol*.lo*('S*ssion inv*li*. *tt*mptin* r**r*s*', s*ssion.r**r*s*Tok*n)' *n* '*onsol*.lo*('R**r*s* su***ss*ul:', r**