In versions before 0.15.0, @workos-inc/authkit-remix exposed sensitive authentication artifacts — specifically sealedSession and accessToken — by returning them from the authkitLoader. This caused them to be rendered into the browser HTML.
Impact
Exposure of these artifacts could lead to session hijacking in environments where cross-site scripting (XSS), malicious browser extensions, or local inspection is possible.
Patches
Patched in https://github.com/workos/authkit-remix/releases/tag/v0.15.0
In patched versions:
sealedSession and accessToken are no longer returned by default from the authkitLoader.- A secure server-side mechanism is provided to fetch an access token as needed.
In versions before
0.15.0,@workos-inc/authkit-remixexposed sensitive authentication artifacts — specifically sealedSession and accessToken — by returning them from theauthkitLoader. This caused them to be rendered into the browser HTML.Impact
Exposure of these artifacts could lead to session hijacking in environments where cross-site scripting (XSS), malicious browser extensions, or local inspection is possible.
Patches
Patched in https://github.com/workos/authkit-remix/releases/tag/v0.15.0
In patched versions:
sealedSessionandaccessTokenare no longer returned by default from theauthkitLoader.