CVE-2024-22206 – @clerk/nextjs

Package

Manager: npm
Name: @clerk/nextjs
Vulnerable Version: >=4.7.0 <4.29.3

Severity

Level: Critical

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

EPSS: 0.00264 pctl0.49579

Details

@clerk/nextjs auth() and getAuth() methods vulnerable to insecure direct object reference (IDOR) ### Impact Unauthorized access or privilege escalation due to a logic flaw in `auth()` in the App Router or `getAuth()` in the Pages Router. ### Affected Versions All applications that that use `@clerk/nextjs` versions in the range of `>= 4.7.0`,`< 4.29.3` in a Next.js backend to authenticate API Routes, App Router, or Route handlers. Specifically, those that call `auth()` in the App Router or `getAuth()` in the Pages Router. Only the `@clerk/nextjs` SDK is impacted. Other SDKs, including other Javascript-based SDKs, are not impacted. ### Patches Fix included in `@clerk/nextjs@4.29.3`. ### References - https://clerk.com/changelog/2024-01-12 - https://github.com/clerk/javascript/releases/tag/%40clerk%2Fnextjs%404.29.3

Metadata

Created: 2024-01-12T20:27:29Z
Modified: 2024-01-12T22:33:02Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/01/GHSA-q6w5-jg5q-47vg/GHSA-q6w5-jg5q-47vg.json
CWE IDs: ["CWE-284", "CWE-287", "CWE-639"]
Alternative ID: GHSA-q6w5-jg5q-47vg
Finding: F039
Auto approve: 1