WorkOS AuthKit for React Router Sensitive Data Exposure Vulnerability

A vulnerability in the WorkOS AuthKit library for React Router, affecting versions prior to 0.7.0, allowed sensitive authentication data, specifically the 'sealedSession' and 'accessToken', to be exposed. This data was returned by the 'authkitLoader' and rendered into the browser's HTML, creating a risk of session hijacking, particularly in environments vulnerable to cross-site scripting (XSS) or with certain malicious browser extensions.

Impact

The exposure of 'sealedSession' and 'accessToken' could lead to session hijacking, especially in contexts where cross-site scripting (XSS) is a risk, or where malicious browser extensions or local data inspection could be exploited.

Reproduction

To reproduce this vulnerability, use a version of the WorkOS AuthKit library for React Router that is prior to 0.7.0. Implement the 'authkitLoader' in a way that the 'accessToken' and 'sealedSession' are returned and rendered in the HTML. This can be done by not using the 'getAccessToken' helper method, which was introduced in the patched version.

Remediation

Users can update to WorkOS AuthKit for React Router version 0.7.0 or later, where this vulnerability has been fixed. After updating, consult the migration instructions in the README to adjust any implementation that relied on the previous behavior of the 'authkitLoader'.