7.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-55009

GHSA ID

GHSA-v3gr-w9gf-23cx

EPSS Score

CWE

CWE-200

Published

8/8/2025

Updated

8/8/2025

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-55009

CVE-2025-55009: The AuthKit Remix Library renders sensitive auth data in HTML

In versions before 0.15.0, @workos-inc/authkit-remix exposed sensitive authentication artifacts — specifically sealedSession and accessToken — by returning them from the authkitLoader. This caused them to be rendered into the browser HTML.

Impact

Exposure of these artifacts could lead to session hijacking in environments where cross-site scripting (XSS), malicious browser extensions, or local inspection is possible.

Patches

Patched in https://github.com/workos/authkit-remix/releases/tag/v0.15.0

In patched versions:

sealedSession and accessToken are no longer returned by default from the authkitLoader.
A secure server-side mechanism is provided to fetch an access token as needed.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2025-55009

CVE-2025-55009:

7.1

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2025-55009

GHSA ID

GHSA-v3gr-w9gf-23cx

EPSS Score

CWE

CWE-200

Published

8/8/2025

Updated

8/8/2025

KEV Status

Technology

JavaScript

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@workos-inc/authkit-remix	npm	< 0.15.0	0.15.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the @workos-inc/authkit-remix library, where the primary loader function, authkitLoader, exposed sensitive authentication artifacts to the client-side. By analyzing the provided patch (commit 20102afc74bf3dd5150a975a098067fb406b90b6), I identified the exact source of the vulnerability.

The commit shows several key changes:

Interface Modification (src/interfaces.ts): The accessToken and sealedSession properties were removed from the AuthorizedData and UnauthorizedData interfaces. This is a direct indication that these fields are no longer intended to be part of the data structure returned to the user's application code.
Core Logic Change (src/session.ts): The authkitLoader function was modified to no longer populate accessToken and sealedSession in the auth object that it creates. This is the root cause of the vulnerability. Previously, this object was returned by the loader, and because Remix serializes loader data into the HTML, these sensitive values became client-visible.
Introduction of a Secure Alternative: The patch introduces a getAccessToken function that is passed to the developer's custom loader. This new pattern ensures that the access token is only available on the server-side within the loader's scope and is not returned to the client unless explicitly done so by the developer, who is warned of the security implications in the updated documentation.

Based on this evidence, the authkitLoader function is the sole vulnerable function. During runtime, when a page using this loader is rendered, authkitLoader would be called on the server. In vulnerable versions, its execution would result in sensitive data being passed into the Remix rendering pipeline, ultimately exposing it in the browser. Therefore, authkitLoader is the function that would appear in a runtime profile related to the exploitation of this vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.1

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2025-55009: The AuthKit Remix Library renders sensitive auth data in HTML

Impact

Patches

CVE-2025-55009:

7.1

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

7.1

7.1

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Basic Information

Basic Information

CVE-2025-55009: The AuthKit Remix Library renders sensitive auth data in HTML

Impact

Patches

Technical Details

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI