CVE-2025-55009

low-risk
Published 2025-08-09

The AuthKit library for Remix provides convenient helpers for authentication and session management using WorkOS & AuthKit with Remix. In versions 0.14.1 and below, @workos-inc/authkit-remix exposed sensitive authentication artifacts — specifically sealedSession and accessToken — by returning them from the authkitLoader. This caused them to be rendered into the browser HTML.

Do I need to act?

-
0.06% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.1/10 High
NETWORK / HIGH complexity

References (3)

https://github.com/workos/authkit-remix/commit/20102afc74bf3dd5150a975a098067fb4...
https://github.com/workos/authkit-remix/releases/tag/v0.15.0
https://github.com/workos/authkit-remix/security/advisories/GHSA-v3gr-w9gf-23cx
26
/ 100
low-risk
Severity 21/34 · High
Exploitability 0/34 · Minimal
Exposure 5/34 · Minimal