CVE-2025-55009: The AuthKit Remix Library renders sensitive auth data in HTML

The vulnerability lies in the @workos-inc/authkit-remix library, where the primary loader function, authkitLoader, exposed sensitive authentication artifacts to the client-side. By analyzing the provided patch (commit 20102afc74bf3dd5150a975a098067fb406b90b6), I identified the exact source of the vulnerability.

The commit shows several key changes:

1. Interface Modification (src/interfaces.ts): The accessToken and sealedSession properties were removed from the AuthorizedData and UnauthorizedData interfaces. This is a direct indication that these fields are no longer intended to be part of the data structure returned to the user's application code.
2. Core Logic Change (src/session.ts): The authkitLoader function was modified to no longer populate accessToken and sealedSession in the auth object that it creates. This is the root cause of the vulnerability. Previously, this object was returned by the loader, and because Remix serializes loader data into the HTML, these sensitive values became client-visible.
3. Introduction of a Secure Alternative: The patch introduces a getAccessToken function that is passed to the developer's custom loader. This new pattern ensures that the access token is only available on the server-side within the loader's scope and is not returned to the client unless explicitly done so by the developer, who is warned of the security implications in the updated documentation.

Based on this evidence, the authkitLoader function is the sole vulnerable function. During runtime, when a page using this loader is rendered, authkitLoader would be called on the server. In vulnerable versions, its execution would result in sensitive data being passed into the Remix rendering pipeline, ultimately exposing it in the browser. Therefore, authkitLoader is the function that would appear in a runtime profile related to the exploitation of this vulnerability.