{ "data_version": "4.0", "data_type": "CVE", "data_format": "MITRE", "CVE_data_meta": { "ID": "CVE-2024-29901", "ASSIGNER": "security-advisories@github.com", "STATE": "PUBLIC" }, "description": { "description_data": [ { "lang": "eng", "value": "The AuthKit library for Next.js provides helpers for authentication and session management using WorkOS & AuthKit with Next.js.\nA user can reuse an expired session by controlling the `x-workos-session` header. The vulnerability is patched in v0.4.2." } ] }, "problemtype": { "problemtype_data": [ { "description": [ { "lang": "eng", "value": "CWE-294: Authentication Bypass by Capture-replay", "cweId": "CWE-294" } ] } ] }, "affects": { "vendor": { "vendor_data": [ { "vendor_name": "workos", "product": { "product_data": [ { "product_name": "authkit-nextjs", "version": { "version_data": [ { "version_affected": "=", "version_value": "< 0.4.2" } ] } } ] } } ] } }, "references": { "reference_data": [ { "url": "https://github.com/workos/authkit-nextjs/security/advisories/GHSA-35w3-6qhc-474v", "refsource": "MISC", "name": "https://github.com/workos/authkit-nextjs/security/advisories/GHSA-35w3-6qhc-474v" }, { "url": "https://github.com/workos/authkit-nextjs/commit/6c3f4f3179d66cbb15de3962792083ff3b244a01", "refsource": "MISC", "name": "https://github.com/workos/authkit-nextjs/commit/6c3f4f3179d66cbb15de3962792083ff3b244a01" }, { "url": "https://github.com/workos/authkit-nextjs/releases/tag/v0.4.2", "refsource": "MISC", "name": "https://github.com/workos/authkit-nextjs/releases/tag/v0.4.2" } ] }, "source": { "advisory": "GHSA-35w3-6qhc-474v", "discovery": "UNKNOWN" }, "impact": { "cvss": [ { "attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1" } ] } }