Low severityNVD Advisory· Published Nov 5, 2024· Updated Apr 15, 2026
CVE-2024-51753
CVE-2024-51753
Description
The AuthKit library for Remix provides convenient helpers for authentication and session management using WorkOS & AuthKit with Remix. In affected versions refresh tokens are logged to the console when the disabled by default debug flag, is enabled. This issue has been patched in version 0.4.1. All users are advised to upgrade. There are no known workarounds for this vulnerability.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
@workos-inc/authkit-remixnpm | < 0.4.1 | 0.4.1 |
Patches
132d5bcd54c79Update logging strategy (#27)
3 files changed · +4 −4
package.json+1 −1 modified@@ -1,6 +1,6 @@ { "name": "@workos-inc/authkit-remix", - "version": "0.4.0", + "version": "0.4.1", "description": "Authentication and session helpers for using WorkOS & AuthKit with Remix", "sideEffects": false, "type": "commonjs",
src/session.ts+2 −2 modified@@ -27,15 +27,15 @@ async function updateSession(request: Request, debug: boolean) { } try { - if (debug) console.log('Session invalid. Attempting refresh', session.refreshToken); + if (debug) console.log(`Session invalid. Refreshing access token that ends in ${session.accessToken.slice(-10)}`); // If the session is invalid (i.e. the access token has expired) attempt to re-authenticate with the refresh token const { accessToken, refreshToken } = await workos.userManagement.authenticateWithRefreshToken({ clientId: WORKOS_CLIENT_ID, refreshToken: session.refreshToken, }); - if (debug) console.log('Refresh successful:', refreshToken); + if (debug) console.log(`Refresh successful. New access token ends in ${accessToken.slice(-10)}`); const newSession = { accessToken,
src/workos.ts+1 −1 modified@@ -1,7 +1,7 @@ import { WorkOS } from '@workos-inc/node'; import { WORKOS_API_HOSTNAME, WORKOS_API_HTTPS, WORKOS_API_KEY, WORKOS_API_PORT } from './env-variables.js'; -const VERSION = '0.4.0'; +const VERSION = '0.4.1'; const options = { apiHostname: WORKOS_API_HOSTNAME,
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-v2qh-f584-6hj8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-51753ghsaADVISORY
- github.com/workos/authkit-remix/commit/32d5bcd54c795c1e2a3204f8e3977ab9ad57ec06nvdWEB
- github.com/workos/authkit-remix/releases/tag/v0.4.1nvdWEB
- github.com/workos/authkit-remix/security/advisories/GHSA-v2qh-f584-6hj8nvdWEB
News mentions
0No linked articles in our index yet.