@clerk/nextjs auth() and getAuth() methods vulnerable to insecure direct object reference (IDOR)
CVE-2024-22206

9.1CRITICAL

Key Information:

Vendor

clerk

Status
javascript
Vendor
CVE Published:
12 January 2024

What is CVE-2024-22206?

A logic flaw in the authentication process within Clerk's user management system can lead to unauthorized access or privilege escalation. Specifically, issues reside in the auth() method of the App Router and the getAuth() method of the Pages Router. This vulnerability became known through advisory notifications and has been addressed in version 4.29.3. Developers using Clerk are encouraged to update to the latest version to mitigate potential security risks.

Affected Version(s)

javascript >= 4.7.0, < 4.29.3

References

https://github.com/clerk/javascript/security/advisories/G...
x_refsource_CONFIRM
https://clerk.com/changelog/2024-01-12
x_refsource_MISC
https://github.com/clerk/javascript/releases/tag/%40clerk...
x_refsource_MISC

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.