CVE-2024-29901

EPSS 0.66%
Veröffentlicht 29.03.2024 16:15:08
Zuletzt bearbeitet 11.12.2025 17:45:43
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

@workos-inc/authkit-nextjs session replay vulnerability

The AuthKit library for Next.js provides helpers for authentication and session management using WorkOS & AuthKit with Next.js.
A user can reuse an expired session by controlling the `x-workos-session` header. The vulnerability is patched in v0.4.2.

Betroffene Produkte Warnungen 0 Metriken 3 CWE 1 Referenzen 6

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Workos ≫ Authkit-nextjs SwPlatformnode.js Version < 0.4.2

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.66%	0.466

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.1	2.2	5.9	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
security-advisories@github.com	4.8	2.2	2.5	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

CWE-294 Authentication Bypass by Capture-replay

A capture-replay flaw exists when the design of the product makes it possible for a malicious user to sniff network traffic and bypass authentication by replaying it to the server in question to the same effect as the original message (or with minor changes).

https://github.com/workos/authkit-nextjs/commit/6c3f4f3179d66cbb15de3962792083ff3b244a01

Patch

https://github.com/workos/authkit-nextjs/releases/tag/v0.4.2

Release Notes

https://github.com/workos/authkit-nextjs/security/advisories/GHSA-35w3-6qhc-474v

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2024-29901

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2024-29901

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2024-29901

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2024-29901