CVE-2024-51752 — @workos-inc/authkit-nextjs refresh tokens are logged when the debug flag is enab

Description

### Impact Refresh tokens are logged to the console when the disabled by default `debug` flag, is enabled. ### Patches Patched in [https://github.com/workos/authkit-nextjs/releases/tag/v0.13.2](https://github.com/workos/authkit-nextjs/releases/tag/v0.13.2)

How to fix CVE-2024-51752

To remediate CVE-2024-51752, upgrade the affected package to a fixed version below.

npm/@workos-inc/authkit-nextjs—upgrade to 0.13.2 or later

Is CVE-2024-51752 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 0.13.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-51752
PATCHgithub.com/workos/authkit-nextjs
WEBgithub.com/workos/authkit-nextjs/commit/15a332632f7560b03cc6d8cc8da24fd2ac931da7
WEBgithub.com/workos/authkit-nextjs/releases/tag/v0.13.2