{"id":"CVE-2025-55009","summary":"AuthKit: Sensitive auth data rendered in HTML","details":"The AuthKit library for Remix provides convenient helpers for authentication and session management using WorkOS & AuthKit with Remix. In versions 0.14.1 and below, @workos-inc/authkit-remix exposed sensitive authentication artifacts — specifically sealedSession and accessToken — by returning them from the authkitLoader. This caused them to be rendered into the browser HTML.","aliases":["GHSA-v3gr-w9gf-23cx"],"modified":"2026-04-02T12:55:04.393291Z","published":"2025-08-09T02:02:07.611Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/55xxx/CVE-2025-55009.json","cwe_ids":["CWE-200"],"cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/workos/authkit-remix/releases/tag/v0.15.0"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/55xxx/CVE-2025-55009.json"},{"type":"ADVISORY","url":"https://github.com/workos/authkit-remix/security/advisories/GHSA-v3gr-w9gf-23cx"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-55009"},{"type":"FIX","url":"https://github.com/workos/authkit-remix/commit/20102afc74bf3dd5150a975a098067fb406b90b6"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/workos/authkit-remix","events":[{"introduced":"0"},{"fixed":"20102afc74bf3dd5150a975a098067fb406b90b6"}]},{"type":"GIT","repo":"https://github.com/workos/authkit-remix","events":[{"introduced":"0"},{"fixed":"233d6c9f69ef716605e2ac49a6ac55b9b2f937d6"}]}],"versions":["v0.1.0","v0.10.0","v0.11.0","v0.12.0","v0.13.0","v0.14.0","v0.14.1","v0.2.0","v0.3.0","v0.3.1","v0.4.0","v0.4.1","v0.5.0","v0.6.0","v0.7.0","v0.7.1","v0.8.0","v0.9.0","v0.9.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-55009.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L"}]}