The AuthKit Remix Library renders sensitive auth data in HTML

Description

Before 0.15.0, @workos-inc/authkit-remix returned sensitive authentication artifacts from the authkitLoader, specifically sealedSession and accessToken. Because these values were returned from the loader, they were embedded into the server-rendered HTML and became readable by any script with access to the page’s DOM (e.g.

Recommendation

Update the @workos-inc/authkit-remix package to the latest compatible version. Followings are version details:

• Affected version(s): < 0.15.0
• Patched version(s): 0.15.0

References

• GHSA-v3gr-w9gf-23cx
• osv.dev
• CVE-2025-55009
• CWE-200
• CAPEC-310
• OWASP 2021-A1
• OWASP 2021-A6

Related Issues

• The AuthKit React Router Library rendered sensitive auth data in HTML - CVE-2025-55008
• Strapi core vulnerable to sensitive data exposure via CORS misconfiguration - CVE-2025-53092
• @workos-inc/authkit-remix refresh tokens are logged when the debug flag is enabled - CVE-2024-51753
• Parse Server vulnerable to brute force guessing of user sensitive data via search patterns - CVE-2022-36079

Tags:

npm

@workos-inc/authkit-remix