Wiz
Vulnerability DatabaseCVE-2025-64762

CVE-2025-64762
JavaScript vulnerability analysis and mitigation

Overview

CVE-2025-64762 affects authkit-nextjs versions 2.11.0 and below, where authenticated responses lack anti-caching headers. This vulnerability was discovered and disclosed on November 20, 2025, impacting JavaScript applications using the authkit-nextjs library. The vulnerability specifically affects applications deployed with CDN caching enabled, where session tokens could potentially be cached and served to multiple users (GitHub Advisory).

Technical details

The vulnerability stems from authkit-nextjs failing to set anti-caching headers on HTTP responses for authenticated requests. The core issue lies in the absence of crucial headers like Cache-Control: private, no-cache, no-store and Vary: Cookie, which allows Content Delivery Networks (CDNs) or other proxy caches to store and inadvertently serve responses containing private session information to multiple users. The vulnerability is tracked as GHSA-p8pf-44ff-93gf and is classified as High severity (Miggo).

Impact

The vulnerability can lead to session token exposure, potentially allowing unauthorized users to obtain another user's session token through CDN-cached responses. The severity of the impact varies depending on deployment configuration, caching policy, and whether authenticated routes are inadvertently cached. Next.js applications deployed on Vercel are unaffected unless they manually enable CDN caching by setting cache headers on authenticated paths (GitHub Advisory).

Mitigation and workarounds

The vulnerability has been patched in authkit-nextjs version 2.11.1, which implements proper cache prevention headers for all authenticated responses. The fix includes setting Cache-Control: private, no-cache, no-store, must-revalidate, max-age=0, Pragma: no-cache, Expires: 0, and Vary: Cookie headers. For users unable to upgrade immediately, it's recommended to review application code, middleware, and infrastructure configuration to ensure Cache-Control headers are properly set for authenticated paths and prevent caching of user-specific or sensitive authenticated information (GitHub Release).

Additional resources

SourceThis report was generated using AI

Related JavaScript vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-65108CRITICAL10
  • JavaScriptJavaScript
  • md-to-pdf
NoYesNov 21, 2025
CVE-2025-64767CRITICAL9.1
  • JavaScriptJavaScript
  • @hpke/core
NoYesNov 21, 2025
CVE-2025-64755HIGH8.7
  • JavaScriptJavaScript
  • @anthropic-ai/claude-code
NoYesNov 21, 2025
CVE-2025-64762HIGH8
  • JavaScriptJavaScript
  • @workos-inc/authkit-nextjs
NoYesNov 21, 2025
CVE-2025-63700HIGH7.5
  • JavaScriptJavaScript
  • @clerk/clerk-js
NoNoNov 20, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo