CVE-2025-64762
Published: 21 November 2025
Summary
CVE-2025-64762 is a critical-severity Use of Cache Containing Sensitive Information (CWE-524) vulnerability in Workos Authkit-Nextjs. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Steal Web Session Cookie (T1539); ranked at the 23.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SC-4 (Information in Shared System Resources).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the CVE by requiring identification, reporting, and timely patching of the flaw in authkit-nextjs that omits anti-caching headers on authenticated responses.
Ensures secure configuration settings for web applications and CDNs, including mandatory anti-caching headers on authenticated paths to prevent session token caching.
Prevents unauthorized disclosure of session tokens via shared CDN caches, which act as shared system resources accessible to multiple users.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability causes authenticated responses containing session tokens to lack anti-caching headers, enabling them to be cached by CDNs and served to unauthorized users, directly facilitating the theft of web session cookies.
NVD Description
The AuthKit library for Next.js provides convenient helpers for authentication and session management using WorkOS & AuthKit with Next.js. In authkit-nextjs version 2.11.0 and below, authenticated responses do not defensively apply anti-caching headers. In environments where CDN caching is enabled,…
more
this can result in session tokens being included in cached responses and subsequently served to multiple users. Next.js applications deployed on Vercel are unaffected unless they manually enable CDN caching by setting cache headers on authenticated paths. Patched in authkit-nextjs 2.11.1, which applies anti-caching headers to all responses behind authentication.
Deeper analysisAI
CVE-2025-64762 affects the AuthKit library for Next.js, which provides authentication and session management helpers using WorkOS and AuthKit. In versions 2.11.0 and prior, authenticated responses lack defensive anti-caching headers, enabling session tokens to be cached and served to unintended users in environments with CDN caching enabled. This vulnerability, associated with CWE-524 (use of cache fields with cookie data), carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to high impacts on confidentiality and integrity.
Remote unauthenticated attackers can exploit this issue in deployments where CDN caching is active on authenticated paths, such as custom configurations beyond default Next.js on Vercel setups. By accessing cached responses, attackers receive session tokens from other users, potentially enabling session hijacking, account takeover, or unauthorized access to protected resources without direct interaction with the target application.
The vulnerability is patched in authkit-nextjs version 2.11.1, which adds anti-caching headers to all responses behind authentication. Developers should upgrade immediately and review caching configurations, particularly for CDNs. Official advisories, including the GitHub security advisory GHSA-p8pf-44ff-93gf, release notes for v2.11.1, and the patching commit 94cf438124993abb0e7c19dac64c3cb5724a15ea, provide full details on the fix. Next.js applications on Vercel remain unaffected unless caching is manually enabled on authenticated routes.
Details
- CWE(s)