CVE-2025-64762

# CVE-2025-64762 PoC - 检测AuthKit Next.js缓存泄露漏洞 # 环境要求：已认证用户的会话令牌，目标站点启用CDN缓存 import requests import sys from urllib.parse import urljoin def check_cache_headers(response): """检查响应是否包含抗缓存头部""" cache_control = response.headers.get('Cache-Control', '') pragma = response.headers.get('Pragma', '') # 检查是否存在抗缓存策略 no_store = 'no-store' in cache_control.lower() no_cache = 'no-cache' in cache_control.lower() private = 'private' in cache_control.lower() return no_store or no_cache or 'no-cache' in pragma.lower() def test_caching_vulnerability(base_url, session_cookie): """ 测试认证端点是否存在缓存敏感信息风险 """ # 测试的认证保护端点（通常是需要认证的API或页面） test_endpoints = [ '/api/user/profile', '/api/auth/session', '/dashboard', '/api/settings' ] headers = { 'Cookie': f'session={session_cookie}', 'User-Agent': 'Mozilla/5.0 (Security Scan)' } results = { 'vulnerable': False, 'tested_endpoints': [], 'details': [] } for endpoint in test_endpoints: url = urljoin(base_url, endpoint) try: # 发送第一个请求 response1 = requests.get(url, headers=headers, timeout=10) has_cache_headers1 = check_cache_headers(response1) # 发送第二个请求，检查响应是否可能来自缓存 response2 = requests.get(url, headers=headers, timeout=10) has_cache_headers2 = check_cache_headers(response2) endpoint_result = { 'url': url, 'status_code': response1.status_code, 'has_anti_cache_headers': has_cache_headers1 and has_cache_headers2, 'set_cookie_present': 'Set-Cookie' in response1.headers, 'cache_control': response1.headers.get('Cache-Control', 'Not Set') } results['tested_endpoints'].append(endpoint_result) # 如果认证响应缺少抗缓存头部且包含会话信息，则标记为可能存在漏洞 if (response1.status_code == 200 and not has_cache_headers1 and 'Set-Cookie' in response1.headers): results['vulnerable'] = True results['details'].append( f"[VULN] {url} - Missing anti-cache headers, contains session cookie" ) else: results['details'].append( f"[SAFE] {url} - Has proper cache control headers" ) except requests.RequestException as e: results['details'].append(f"[ERROR] {url} - {str(e)}") return results def main(): if len(sys.argv) < 3: print("Usage: python cve-2025-64762_poc.py <target_url> <session_cookie>") print("Example: python cve-2025-64762_poc.py https://app.example.com 'abc123...'") sys.exit(1) target_url = sys.argv[1] session_cookie = sys.argv[2] print(f"[*] Testing CVE-2025-64762: AuthKit Next.js Cache Token Leak") print(f"[*] Target: {target_url}") print("-" * 60) results = test_caching_vulnerability(target_url, session_cookie) for detail in results['details']: print(detail) print("-" * 60) if results['vulnerable']: print("[!] VULNERABLE: Auth responses lack anti-cache headers") print("[!] Session tokens may be cached by CDN and exposed to other users") print("[!] Recommendation: Upgrade authkit-nextjs to version 2.11.1 or later") return 1 else: print("[+] NOT VULNERABLE: Proper cache control headers are present") return 0 if __name__ == "__main__": sys.exit(main())

{"cve": {"id": "CVE-2025-64762", "sourceIdentifier": "[email protected]", "published": "2025-11-21T02:15:44.077", "lastModified": "2025-12-11T17:45:37.417", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "The AuthKit library for Next.js provides convenient helpers for authentication and session management using WorkOS & AuthKit with Next.js. In authkit-nextjs version 2.11.0 and below, authenticated responses do not defensively apply anti-caching headers. In environments where CDN caching is enabled, this can result in session tokens being included in cached responses and subsequently served to multiple users. Next.js applications deployed on Vercel are unaffected unless they manually enable CDN caching by setting cache headers on authenticated paths. Patched in authkit-nextjs 2.11.1, which applies anti-caching headers to all responses behind authentication."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.0, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "UNREPORTED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-524"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:workos:authkit-nextjs:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "2.11.1", "matchCriteriaId": "C94F2190-CF34-4A96-91A9-01182E2C3993"}]}]}], "references": [{"url": "https://github.com/workos/authkit-nextjs/commit/94cf438124993abb0e7c19dac64c3cb5724a15ea", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/workos/authkit-nextjs/releases/tag/v2.11.1", "source": "[email protected]", "tags": ["Release Notes"]}, {"url": "https://github.com/workos/authkit-nextjs/security/advisories/GHSA-p8pf-44ff-93gf", "source": "[email protected]", "tags": ["Patch", "Third Party Advisory"]}]}}