workos is vulnerable to Insertion of Sensitive Information into Log File
38
Low Risk
The SDK's HTTP runtime in base_client.rb writes the full request path and query string to the configured logger on every request, retry, and error. Token-bearing endpoint paths such as /user_management/magic_auth/<token>, invitation by_token, password-reset, and email-verification paths, plus sensitive query keys like token, code, refresh_token, access_token, and session_id, are emitted verbatim into application logs. Anyone with read access to those logs can recover bearer-equivalent, often single-use authentication secrets and replay them to take over accounts or complete auth flows. The fix adds redact_path to mask token path segments and sensitive query-string values before any log line is written.
You are affected if you are using a version that falls within the vulnerable range and you configure a logger on the WorkOS client.
workos is vulnerable to Insertion of Sensitive Information into Log File in versions 7.0.0 - 8.0.0.
Upgrade the workos library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant