CVE-2024-29901

HIGH EPSS 46.9%
Published Mar 29, 20242y ago · Modified Jun 17, 20261w ago
8.1 CVSS 3.1
High
Find Similar
Published Mar 29, 2024 2y ago
Last Modified Jun 17, 2026 1w ago

Description

The AuthKit library for Next.js provides helpers for authentication and session management using WorkOS & AuthKit with Next.js. A user can reuse an expired session by controlling the `x-workos-session` header. The vulnerability is patched in v0.4.2.

CVSS Details

Base Score
8.1
Exploitability
2.2
Impact
5.9
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector Network
Attack Complexity High
Privileges Required None
User Interaction None
Scope Unchanged
Confidentiality High
Integrity High
Availability High

Threat Intelligence

EPSS Exploit Probability
46.9% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-294

Affected Products 1

VendorProductVersionRange
workosauthkit-nextjs* <0.4.2

References 3

  • github.com https://github.com/workos/authkit-nextjs/commit/6c3f4f3179d66cbb15de3962792083ff3b244a01
    Patch
  • github.com https://github.com/workos/authkit-nextjs/releases/tag/v0.4.2
    Release Notes
  • github.com https://github.com/workos/authkit-nextjs/security/advisories/GHSA-35w3-6qhc-474v
    Vendor Advisory

Remediation

  • github.com https://github.com/workos/authkit-nextjs/commit/6c3f4f3179d66cbb15de3962792083ff3b244a01
    Patch