Headline
GHSA-v3gr-w9gf-23cx: The AuthKit Remix Library renders sensitive auth data in HTML
In versions before 0.15.0, @workos-inc/authkit-remix exposed sensitive authentication artifacts — specifically sealedSession and accessToken — by returning them from the authkitLoader. This caused them to be rendered into the browser HTML.
Impact
Exposure of these artifacts could lead to session hijacking in environments where cross-site scripting (XSS), malicious browser extensions, or local inspection is possible.
Patches
Patched in https://github.com/workos/authkit-remix/releases/tag/v0.15.0
In patched versions:
sealedSessionandaccessTokenare no longer returned by default from theauthkitLoader.- A secure server-side mechanism is provided to fetch an access token as needed.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-55009
The AuthKit Remix Library renders sensitive auth data in HTML
High severity GitHub Reviewed Published Aug 8, 2025 in workos/authkit-remix • Updated Aug 8, 2025
Package
npm @workos-inc/authkit-remix (npm)
Affected versions
< 0.15.0
In versions before 0.15.0, @workos-inc/authkit-remix exposed sensitive authentication artifacts — specifically sealedSession and accessToken — by returning them from the authkitLoader. This caused them to be rendered into the browser HTML.
Impact
Exposure of these artifacts could lead to session hijacking in environments where cross-site scripting (XSS), malicious browser extensions, or local inspection is possible.
Patches
Patched in https://github.com/workos/authkit-remix/releases/tag/v0.15.0
In patched versions:
- sealedSession and accessToken are no longer returned by default from the authkitLoader.
- A secure server-side mechanism is provided to fetch an access token as needed.
References
- GHSA-v3gr-w9gf-23cx
- workos/authkit-remix@20102af
Published to the GitHub Advisory Database
Aug 8, 2025