CVE-2024-29901: 
JavaScript vulnerability analysis and mitigation

The vulnerability (CVE-2024-29901) affects the AuthKit library for Next.js, which provides authentication and session management functionality using WorkOS & AuthKit. The vulnerability was discovered and disclosed on March 29, 2024, and allows users to reuse expired sessions by manipulating the x-workos-session header. The issue affects versions of @workos-inc/authkit-nextjs prior to v0.4.2 (GitHub Advisory).

The vulnerability is classified as a session replay attack vulnerability, where an attacker can bypass session expiration mechanisms by controlling the x-workos-session header. The issue has been assigned a CVSS v3.1 Base Score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N. The vulnerability is categorized under CWE-294 (Authentication Bypass by Capture-replay) (NVD).

The vulnerability allows unauthorized users to maintain access to the system by replaying expired session tokens. This could lead to unauthorized access to user accounts and sensitive information, potentially compromising the security of applications using the affected library (GitHub Advisory).

The vulnerability has been patched in version 0.4.2 of the AuthKit library for Next.js. Users are strongly advised to upgrade to this version or later to prevent session replay attacks. The fix involves proper handling and validation of the x-workos-session header (GitHub Commit).