CVSS 3.1 Score 4.8 of 10 (medium)


Published Mar 29, 2024
Updated: Apr 1, 2024
CWE ID 294


CVE-2024-29901 is a vulnerability in the AuthKit library for Next.js, affecting version 0.4.2 and earlier. It allows an attacker to reuse an expired session by controlling the `x-workos-session` header. The vulnerability has a base severity of MEDIUM and a base score of 4.8 according to the CVSS 3.1 scoring system. The exploitability score is 2.2, indicating a moderate level of difficulty for an attacker to exploit the vulnerability. The impact score is 2.5, with low integrity and confidentiality impacts and no availability impact. There is no requirement for privileges or user interaction, and the attack vector is through the network. The danger posed to organizations is that an attacker could bypass authentication by capturing and replaying session data, potentially gaining unauthorized access to sensitive information or performing malicious actions on behalf of legitimate users. The vulnerability has been patched in version 0.4.2 of the AuthKit library, so organizations should update their software to remediate this issue.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.


Prioritize, Pinpoint, and Act to Prevent Vulnerability Exploits with Recorded Future

Note: This is just a basic overview providing quick insights into CVE-2024-29901 information. Gain full access to comprehensive CVE data, third party vulnerabilities, compromised credentials and more with Recorded Future
  • Gain complete coverage of your cyber, third party, and physical attack surface
  • Proactively mitigate threats before they turn into costly attacks
  • Make fast, effective, data-driven decisions