Critical severityNVD Advisory· Published Jan 12, 2024· Updated Nov 14, 2024

@clerk/nextjs auth() and getAuth() methods vulnerable to insecure direct object reference (IDOR)

CVE-2024-22206

Description

Clerk helps developers build user management. Unauthorized access or privilege escalation due to a logic flaw in auth() in the App Router or getAuth() in the Pages Router. This vulnerability was patched in version 4.29.3.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
@clerk/nextjsnpm	>= 4.7.0, < 4.29.3	4.29.3

Affected products

Clerk/JavaScriptv5
Range: >= 4.7.0, < 4.29.3

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-q6w5-jg5q-47vgghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-22206ghsaADVISORY
clerk.com/changelog/2024-01-12ghsax_refsource_MISCWEB
github.com/clerk/javascript/releases/tag/%40clerk%2Fnextjs%404.29.3ghsax_refsource_MISCWEB
github.com/clerk/javascript/security/advisories/GHSA-q6w5-jg5q-47vgghsax_refsource_CONFIRMWEB

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000