@workos/authkit-session is a framework for building WorkOS AuthKit integrations. Before version 0.5.1, the AuthService.handleCallback function lacks proper validation of the returnPathname value that is derived from the OAuth state parameter. The state is transmitted through the identity provider and can be manipulated by an attacker. The handleCallback method decodes this value and returns it without enforcing any origin or scheme restrictions. Consequently, maliciously crafted returnPathname values may be returned to the application and, if used directly for a redirect, this can lead an authenticated user to an external, attacker‑controlled website, exposing them to phishing or credential‑stealing attacks. The vulnerability is fixed in version 0.5.1.

The affected product is the @workos/authkit-session library; all applications that depend on versions prior to 0.5.1 are impacted. No specific platform or OS details are listed, so any environment where this library is used may be vulnerable.

The CVSS score of 4.3 indicates a moderate severity. EPSS information is not available and the vulnerability is not listed in the CISA KEV catalog. The likely attack path involves an attacker manipulating the OAuth state value during authentication. If the application uses the unchecked returnPathname in a redirect, the user will be sent to a malicious site. The risk is therefore limited to the redirect handling code; no remote code execution or privilege escalation is possible.