The vulnerability identified as CVE-2025-64762 affects the authkit-nextjs library, a tool designed to facilitate authentication and session management in Next.js applications using WorkOS. Versions prior to 2.11.1 fail to apply anti-caching headers on authenticated HTTP responses. In environments where CDN caching is enabled for these responses, session tokens embedded in the responses can be cached and subsequently served to multiple users, violating confidentiality and session integrity. This is classified under CWE-524, which concerns the use of caches containing sensitive information. The vulnerability is exploitable remotely without authentication or user interaction, as indicated by the CVSS 4.0 vector (AV:N/AC:L/AT:N/UI:N). The impact on confidentiality and integrity is high, as session tokens can be leaked to unauthorized parties, potentially allowing session hijacking and unauthorized access to user accounts. The vulnerability does not affect Next.js applications deployed on Vercel by default, as Vercel does not enable CDN caching on authenticated paths unless explicitly configured. The patch released in version 2.11.1 mitigates the issue by enforcing anti-caching headers on all authenticated responses, preventing CDNs from caching sensitive session data. No known exploits have been reported in the wild, but the high CVSS score reflects the critical nature of the risk if exploited.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of user sessions in web applications using authkit-nextjs versions below 2.11.1 with CDN caching enabled. If exploited, attackers could gain unauthorized access to user accounts by retrieving cached session tokens from CDN caches. This can lead to data breaches, unauthorized transactions, and compromise of sensitive personal or corporate information. Organizations in sectors with strict data protection regulations such as GDPR (e.g., finance, healthcare, government) face heightened compliance risks and potential legal penalties if session data is leaked. The risk is amplified in multi-tenant or shared CDN environments where cached responses might be served to unintended users. Additionally, the breach of session tokens can undermine user trust and damage organizational reputation. The vulnerability's ease of exploitation without authentication or user interaction increases the urgency for mitigation. However, organizations using Vercel's default deployment are less likely to be affected unless they explicitly enable CDN caching on authenticated routes.

European organizations should immediately upgrade authkit-nextjs to version 2.11.1 or later to ensure anti-caching headers are applied to all authenticated responses. For environments where upgrading is not immediately feasible, organizations should audit CDN configurations to ensure caching is disabled on any authenticated or session-sensitive endpoints. This includes setting appropriate Cache-Control headers such as 'no-store', 'no-cache', 'private', and 'must-revalidate' to prevent caching of sensitive data. Implement strict Content Security Policies and monitor CDN cache behavior regularly to detect any inadvertent caching of sensitive information. Additionally, review and restrict CDN edge caching rules to exclude authenticated paths. Conduct security testing to verify that session tokens are not exposed in cached responses. Educate development teams about secure caching practices and the risks of caching authenticated content. For organizations using Vercel, verify that no manual cache headers are set on authenticated routes. Finally, implement robust session management practices, including short session lifetimes and token revocation mechanisms, to limit the impact of any potential token leakage.