CVE-2025-64762 Vulnerability Analysis & Exploit Details

CVE-2025-64762 Vulnerability Summary

CVE-2025-64762: The AuthKit library for Next.js provides convenient helpers for authentication and session management using WorkOS & AuthKit with Next.js. In authkit-nextjs version 2.11.0 and below, authenticated responses do not defensively apply anti-caching headers. In environments where CDN caching is enabled, this can result in session tokens being included in cached responses and subsequently served to multiple users. Next.js applications deployed on Vercel are unaffected unless they manually enable CDN caching by setting cache headers on authenticated paths. Patched in authkit-nextjs 2.11.1, which applies anti-caching headers to all responses behind authentication.

CVE-2025-64762 References

External References

• https://github.com/workos/authkit-nextjs/commit/94cf438124993abb0e7c19dac64c3cb5724a15ea
• https://github.com/workos/authkit-nextjs/releases/tag/v2.11.1
• https://github.com/workos/authkit-nextjs/security/advisories/GHSA-p8pf-44ff-93gf

CWE Common Weakness Enumeration

CAPEC Common Attack Pattern Enumeration and Classification

• Lifting Sensitive Data Embedded in Cache CAPEC-204 An adversary examines a target application's cache, or a browser cache, for sensitive information. Many applications that communicate with remote entities or which perform intensive calculations utilize caches to improve efficiency. However, if the application computes or receives sensitive information and the cache is not appropriately protected, an attacker can browse the cache and retrieve this information. This can result in the disclosure of sensitive information.

Vulnerable Configurations

• cpe:2.3:a:workos:authkit-nextjs:0.1.0:-:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:0.1.0:-:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:0.1.0:rc0:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:0.1.0:rc0:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:0.1.0:rc1:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:0.1.0:rc1:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:0.1.0:rc2:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:0.1.0:rc2:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:0.1.0:rc3:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:0.1.0:rc3:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:0.2.0:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:0.2.0:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:0.3.0:-:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:0.3.0:-:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:0.3.0:rc0:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:0.3.0:rc0:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:0.4.0:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:0.4.0:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:0.4.1:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:0.4.1:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:0.4.2:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:0.4.2:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:0.5.0:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:0.5.0:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:0.5.1:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:0.5.1:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:0.5.2:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:0.5.2:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:0.5.3:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:0.5.3:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:0.6.0:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:0.6.0:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:0.6.1:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:0.6.1:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:0.6.2:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:0.6.2:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:0.7.0:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:0.7.0:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:0.8.0:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:0.8.0:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:0.8.1:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:0.8.1:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:0.8.2:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:0.8.2:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:0.9.0:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:0.9.0:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:0.10.0:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:0.10.0:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:0.10.1:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:0.10.1:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:0.11.0:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:0.11.0:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:0.11.1:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:0.11.1:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:0.11.2:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:0.11.2:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:0.12.0:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:0.12.0:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:0.12.1:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:0.12.1:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:0.12.2:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:0.12.2:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:0.12.3:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:0.12.3:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:0.13.0:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:0.13.0:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:0.13.1:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:0.13.1:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:0.13.2:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:0.13.2:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:0.14.0:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:0.14.0:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:0.15.0:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:0.15.0:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:0.16.0:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:0.16.0:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:0.16.1:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:0.16.1:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:0.16.2:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:0.16.2:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:0.17.0:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:0.17.0:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:0.17.1:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:0.17.1:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:0.17.2:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:0.17.2:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:1.0.0:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:1.0.0:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:1.0.1:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:1.0.1:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:1.0.2:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:1.0.2:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:1.1.0:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:1.1.0:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:1.2.0:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:1.2.0:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:1.3.0:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:1.3.0:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:1.4.0:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:1.4.0:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:1.4.1:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:1.4.1:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:2.0.0:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:2.0.0:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:2.0.1:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:2.0.1:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:2.0.2:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:2.0.2:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:2.1.0:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:2.1.0:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:2.2.0:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:2.2.0:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:2.2.1:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:2.2.1:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:2.2.2:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:2.2.2:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:2.2.3:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:2.2.3:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:2.3.0:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:2.3.0:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:2.3.1:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:2.3.1:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:2.3.2:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:2.3.2:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:2.3.3:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:2.3.3:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:2.4.0:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:2.4.0:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:2.4.1:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:2.4.1:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:2.4.2:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:2.4.2:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:2.4.3:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:2.4.3:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:2.4.4:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:2.4.4:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:2.4.5:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:2.4.5:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:2.4.6:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:2.4.6:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:2.5.0:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:2.5.0:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:2.6.0:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:2.6.0:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:2.7.0:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:2.7.0:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:2.7.1:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:2.7.1:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:2.8.0:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:2.8.0:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:2.9.0:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:2.9.0:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:2.10.0:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:2.10.0:*:*:*:*:node.js:*:*
• cpe:2.3:a:workos:authkit-nextjs:2.11.0:*:*:*:*:node.js:*:*
  cpe:2.3:a:workos:authkit-nextjs:2.11.0:*:*:*:*:node.js:*:*

Other 5 Recently Published CVEs Vulnerabilities

• CVE-2025-52691 – Successful exploitation of the vulnerability could allow an unauthenticated attacker to upload arbitrary files to any location on the mail server, ...
• CVE-2025-15168 – A vulnerability was identified in itsourcecode Student Management System 1.0. Affected is an unknown function of the file /statistical.php. Such ma...
• CVE-2025-15167 – A vulnerability was determined in itsourcecode Online Cake Ordering System 1.0. This impacts an unknown function of the file /detailtransac.php. Th...
• CVE-2025-15166 – A vulnerability was found in itsourcecode Online Cake Ordering System 1.0. This affects an unknown function of the file /updatesupplier.php?action=...
• CVE-2025-15165 – A vulnerability has been found in itsourcecode Online Cake Ordering System 1.0. The impacted element is an unknown function of the file /updatecust...