CVSS 3.1 Score 4.8 of 10 (medium)


Published Mar 29, 2024
Updated: Apr 1, 2024
CWE ID 294


CVE-2024-29901 is a vulnerability in the AuthKit library for Next.js, affecting version 0.4.2 and earlier. It allows an attacker to reuse an expired session by controlling the x-workos-session header. The vulnerability has a base severity of MEDIUM and a base score of 4.8 according to the CVSS 3.1 scoring system. The exploitability score is 2.2, indicating a moderate level of difficulty for an attacker to exploit the vulnerability. The impact score is 2.5, with low integrity and confidentiality impacts and no availability impact. There is no requirement for privileges or user interaction, and the attack vector is through the network. The danger posed to organizations is that an attacker could bypass authentication by capturing and replaying session data, potentially gaining unauthorized access to sensitive information or performing malicious actions on behalf of legitimate users. The vulnerability has been patched in version 0.4.2 of the AuthKit library, so organizations should update their software to remediate this issue.

Explore Beyond the CVE Basics with Recorded Future's Vulnerability Intelligence

Note: This is just a basic overview providing quick insights into CVE-2024-29901 information. Gain full access to comprehensive CVE data, risk scores, prioritization, and mitigation data through Recorded Future's Vulnerability Intelligence:
  • Prioritize with Risk-Based Scoring
  • Explore the Extensive Vulnerability Database
  • Receive Early Alerts on Emerging CVEs
  • Focus on Critical Exploitable Vulnerabilities
  • Streamline Remediation with Integration Options