The vulnerability identified as CVE-2025-64762 affects authkit-nextjs, a library facilitating authentication and session management in Next.js applications integrated with WorkOS. Versions prior to 2.11.1 fail to apply anti-caching HTTP headers on authenticated responses. In environments where CDN caching is enabled, this oversight allows session tokens and other sensitive authentication data to be cached by intermediary CDN nodes. Consequently, these cached responses can be served to other users, leading to session token leakage and unauthorized access. The vulnerability is categorized under CWE-524, which concerns the use of caches containing sensitive information. The issue does not require authentication or user interaction to exploit and can be triggered remotely over the network. The CVSS 4.0 base score is 8.0, reflecting high severity due to the ease of exploitation and the critical impact on confidentiality and integrity. Notably, Next.js applications deployed on Vercel are not vulnerable by default, as Vercel does not enable CDN caching on authenticated paths unless explicitly configured. The fix introduced in authkit-nextjs version 2.11.1 adds appropriate anti-caching headers to all authenticated responses, preventing sensitive data from being cached and served to unauthorized parties. While no active exploits have been reported, the vulnerability poses a significant risk in any deployment scenario where CDN caching is enabled on authenticated endpoints.

For European organizations, this vulnerability can lead to severe data breaches involving session tokens, enabling attackers to impersonate legitimate users and access sensitive resources. This compromises user confidentiality and integrity, potentially exposing personal data protected under GDPR. Organizations relying on authkit-nextjs for authentication in customer-facing or internal applications that use CDN caching are particularly at risk. The exposure of session tokens can facilitate lateral movement within networks, privilege escalation, and unauthorized data access. The impact extends to reputational damage, regulatory penalties, and operational disruptions. Given the widespread adoption of Next.js and WorkOS in Europe’s tech ecosystem, especially among SaaS providers and enterprises leveraging modern web frameworks, the threat is significant. The risk is heightened in sectors with stringent compliance requirements such as finance, healthcare, and government services. Additionally, organizations using custom CDN configurations or self-hosted CDN solutions are more vulnerable compared to those on managed platforms like Vercel that do not enable caching on authenticated routes by default.

European organizations should immediately upgrade authkit-nextjs to version 2.11.1 or later to ensure anti-caching headers are applied to all authenticated responses. Review and audit CDN configurations to confirm that caching is disabled on any endpoints handling authentication or session tokens. Implement strict cache-control headers such as 'Cache-Control: no-store, no-cache, must-revalidate, proxy-revalidate' and 'Pragma: no-cache' on all sensitive routes. Conduct penetration testing and code reviews to verify that no other endpoints inadvertently expose sensitive data via caching. For organizations using custom or third-party CDNs, enforce policies that prevent caching of authenticated content. Additionally, monitor access logs and CDN cache hit/miss ratios for anomalies that could indicate token leakage. Educate development teams on secure caching practices and the risks of caching sensitive information. Finally, consider implementing short-lived session tokens and multi-factor authentication to reduce the impact of any potential token exposure.