VYPR
Critical severityNVD Advisory· Published Jan 12, 2024· Updated Nov 14, 2024

@clerk/nextjs auth() and getAuth() methods vulnerable to insecure direct object reference (IDOR)

CVE-2024-22206

Description

Clerk helps developers build user management. Unauthorized access or privilege escalation due to a logic flaw in auth() in the App Router or getAuth() in the Pages Router. This vulnerability was patched in version 4.29.3.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
@clerk/nextjsnpm
>= 4.7.0, < 4.29.34.29.3

Affected products

2

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.