CVE-2024-29901

EPSS 0.35%
Published 29.03.2024 16:15:08
Last modified 07.05.2025 17:05:40
Source security-advisories@github.com
Teams watchlist Login
Open Login

The AuthKit library for Next.js provides helpers for authentication and session management using WorkOS & AuthKit with Next.js.
A user can reuse an expired session by controlling the `x-workos-session` header. The vulnerability is patched in v0.4.2.

Affected products Warnungen 0 Metrics 3 CWE 1 References 6

Data is provided by the National Vulnerability Database (NVD)

Workos ≫ Authkit SwPlatformnode.js Version < 0.4.2

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Type	Source	Score	Percentile
EPSS	FIRST.org	0.35%	0.568

CVSS Metriken
Source	Base Score	Exploit Score	Impact Score	Vector string
nvd@nist.gov	8.1	2.2	5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	4.8	2.2	2.5	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE-294 Authentication Bypass by Capture-replay

A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).

https://github.com/workos/authkit-nextjs/commit/6c3f4f3179d66cbb15de3962792083ff3b244a01

Patch

https://github.com/workos/authkit-nextjs/releases/tag/v0.4.2

Release Notes

https://github.com/workos/authkit-nextjs/security/advisories/GHSA-35w3-6qhc-474v

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-29901

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-29901

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-29901

EUVD