CVE-2025-64762

CVE-2025-64762 affects the AuthKit library for Next.js, which provides authentication and session management helpers using WorkOS and AuthKit. In versions 2.11.0 and prior, authenticated responses lack defensive anti-caching headers, enabling session tokens to be cached and served to unintended users in environments with CDN caching enabled. This vulnerability, associated with CWE-524 (use of cache fields with cookie data), carries a CVSS v3.1 base score of 9.1 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N), indicating critical severity due to high impacts on confidentiality and integrity.

Remote unauthenticated attackers can exploit this issue in deployments where CDN caching is active on authenticated paths, such as custom configurations beyond default Next.js on Vercel setups. By accessing cached responses, attackers receive session tokens from other users, potentially enabling session hijacking, account takeover, or unauthorized access to protected resources without direct interaction with the target application.

The vulnerability is patched in authkit-nextjs version 2.11.1, which adds anti-caching headers to all responses behind authentication. Developers should upgrade immediately and review caching configurations, particularly for CDNs. Official advisories, including the GitHub security advisory GHSA-p8pf-44ff-93gf, release notes for v2.11.1, and the patching commit 94cf438124993abb0e7c19dac64c3cb5724a15ea, provide full details on the fix. Next.js applications on Vercel remain unaffected unless caching is manually enabled on authenticated routes.