@workos-inc/authkit-nextjs refresh tokens are logged when the debug flag is enabled

Description

Refresh tokens are logged to the console when the disabled by default debug flag, is enabled.

Recommendation

Update the @workos-inc/authkit-nextjs package to the latest compatible version. Followings are version details:

• Affected version(s): < 0.13.2
• Patched version(s): 0.13.2

References

• GHSA-5wmg-9cvh-qw25
• CVE-2024-51752
• CWE-532
• CAPEC-310
• OWASP 2021-A6
• OWASP 2021-A9

Related Issues

• @workos-inc/authkit-remix refresh tokens are logged when the debug flag is enabled - CVE-2024-51753
• @workos-inc/authkit-nextjs session replay vulnerability - CVE-2024-29901
• Sentry's sensitive headers are leaked when `sendDefaultPii` is set to `true` - @sentry/nextjs - CVE-2025-65944
• authkit-nextjs may let session cookies be cached in CDNs - CVE-2025-64762

You might also like:

How to Secure your NodeJs Express Javascript Application - part 1

How to Secure your NodeJs Express Javascript Application - part 2

10 Secure Coding Best Practices to Follow in Every Project

Tags:

npm

@workos-inc/authkit-nextjs