{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-55008", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-08-04T17:34:24.422Z", "datePublished": "2025-08-09T02:02:14.950Z", "dateUpdated": "2025-08-11T14:33:33.678Z"}, "containers": {"cna": {"title": "AuthKit React Router: Sensitive auth data rendered in HTML", "problemTypes": [{"descriptions": [{"cweId": "CWE-200", "lang": "en", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/workos/authkit-react-router/security/advisories/GHSA-vqvc-9q8x-vmq6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/workos/authkit-react-router/security/advisories/GHSA-vqvc-9q8x-vmq6"}, {"name": "https://github.com/workos/authkit-react-router/commit/607caac658784962bab76e227f9c5820d0b9a9e5", "tags": ["x_refsource_MISC"], "url": "https://github.com/workos/authkit-react-router/commit/607caac658784962bab76e227f9c5820d0b9a9e5"}, {"name": "https://github.com/workos/authkit-react-router/releases/tag/v0.7.0", "tags": ["x_refsource_MISC"], "url": "https://github.com/workos/authkit-react-router/releases/tag/v0.7.0"}], "affected": [{"vendor": "workos", "product": "authkit-react-router", "versions": [{"version": "< 0.7.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-08-09T02:02:14.950Z"}, "descriptions": [{"lang": "en", "value": "The AuthKit library for React Router 7+ provides helpers for authentication and session management using WorkOS & AuthKit with React Router. In versions 0.6.1 and below, @workos-inc/authkit-react-router exposed sensitive authentication artifacts \u2014 specifically sealedSession and accessToken by returning them from the authkitLoader. This caused them to be rendered into the browser HTML. This issue is fixed in version 0.7.0."}], "source": {"advisory": "GHSA-vqvc-9q8x-vmq6", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-08-11T14:32:24.190307Z", "id": "CVE-2025-55008", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-11T14:33:33.678Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-55008", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-08-11T14:32:24.190307Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-08-11T14:33:25.226Z"}}], "cna": {"title": "AuthKit React Router: Sensitive auth data rendered in HTML", "source": {"advisory": "GHSA-vqvc-9q8x-vmq6", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "workos", "product": "authkit-react-router", "versions": [{"status": "affected", "version": "< 0.7.0"}]}], "references": [{"url": "https://github.com/workos/authkit-react-router/security/advisories/GHSA-vqvc-9q8x-vmq6", "name": "https://github.com/workos/authkit-react-router/security/advisories/GHSA-vqvc-9q8x-vmq6", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/workos/authkit-react-router/commit/607caac658784962bab76e227f9c5820d0b9a9e5", "name": "https://github.com/workos/authkit-react-router/commit/607caac658784962bab76e227f9c5820d0b9a9e5", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/workos/authkit-react-router/releases/tag/v0.7.0", "name": "https://github.com/workos/authkit-react-router/releases/tag/v0.7.0", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "The AuthKit library for React Router 7+ provides helpers for authentication and session management using WorkOS & AuthKit with React Router. In versions 0.6.1 and below, @workos-inc/authkit-react-router exposed sensitive authentication artifacts \u2014 specifically sealedSession and accessToken by returning them from the authkitLoader. This caused them to be rendered into the browser HTML. This issue is fixed in version 0.7.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-200", "description": "CWE-200: Exposure of Sensitive Information to an Unauthorized Actor"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-08-09T02:02:14.950Z"}}}, "cveMetadata": {"cveId": "CVE-2025-55008", "state": "PUBLISHED", "dateUpdated": "2025-08-11T14:33:33.678Z", "dateReserved": "2025-08-04T17:34:24.422Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-08-09T02:02:14.950Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The AuthKit library for React Router 7+ provides helpers for authentication and session management using WorkOS & AuthKit with React Router. In versions 0.6.1 and below, @workos-inc/authkit-react-router exposed sensitive authentication artifacts \u2014 specifically sealedSession and accessToken by returning them from the authkitLoader. This caused them to be rendered into the browser HTML. This issue is fixed in version 0.7.0."}, {"lang": "es", "value": "La librer\u00eda AuthKit para React Router 7+ proporciona ayudantes para la autenticaci\u00f3n y la gesti\u00f3n de sesiones mediante WorkOS y AuthKit con React Router. En las versiones 0.6.1 y anteriores, @workos-inc/authkit-react-router expon\u00eda artefactos de autenticaci\u00f3n sensibles, en concreto, sealedSession y accessToken, al devolverlos desde authkitLoader. Esto provocaba que se renderizaran en el HTML del navegador. Este problema se ha corregido en la versi\u00f3n 0.7.0."}], "id": "CVE-2025-55008", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.5, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2025-08-09T03:15:47.327", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/workos/authkit-react-router/commit/607caac658784962bab76e227f9c5820d0b9a9e5"}, {"source": "security-advisories@github.com", "url": "https://github.com/workos/authkit-react-router/releases/tag/v0.7.0"}, {"source": "security-advisories@github.com", "url": "https://github.com/workos/authkit-react-router/security/advisories/GHSA-vqvc-9q8x-vmq6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-200"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"created": "2025-08-12T11:47:15.274208+00:00", "updated": "2025-08-12T11:47:15.274272+00:00", "vendors": ["workos", "workos$PRODUCT$authkit"]}