-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI
JavaScriptJavaScriptMiggo AIRoot Cause AnalysisThe vulnerability lies in the authkitLoader function in @workos-inc/authkit-react-router prior to version 0.7.0. The analysis of the patch commit 607caac658784962bab76e227f9c5820d0b9a9e5 confirms this. The core issue was that authkitLoader returned sensitive data, specifically accessToken and sealedSession, as part of its standard return object. The patch remediates this by removing these fields from the AuthorizedData object created within authkitLoader. Instead of exposing the access token by default, the patched version introduces a getAccessToken function that can be explicitly called within the loader on the server-side, preventing the token from being automatically leaked to the client's HTML source. The changes in src/interfaces.ts and src/session.ts clearly show the removal of the sensitive fields from the data structure that gets passed to the client, directly addressing the reported vulnerability.
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| @workos-inc/authkit-react-router | npm | < 0.7.0 | 0.7.0 |
Ongoing coverage of React2Shell