logo

Database

Improper authorization control for web services In @clerk/nextjs

Description

@clerk/nextjs auth() and getAuth() methods vulnerable to insecure direct object reference (IDOR)

Impact

Unauthorized access or privilege escalation due to a logic flaw in auth() in the App Router or getAuth() in the Pages Router.

Affected Versions

All applications that that use @clerk/nextjs versions in the range of >= 4.7.0,< 4.29.3 in a Next.js backend to authenticate API Routes, App Router, or Route handlers. Specifically, those that call auth() in the App Router or getAuth() in the Pages Router. Only the @clerk/nextjs SDK is impacted. Other SDKs, including other Javascript-based SDKs, are not impacted.

Patches

Fix included in @clerk/[email protected].

References

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2024-222062. NVD-2024-222063. OSV-2024-222064. GHSA-q6w5-jg5q-47vg5. GCVE-2024-22206

References

1. https://github.com/clerk/javascript/security/advisories/GHSA-q6w5-jg5q-47vg2. https://clerk.com/changelog/2024-01-123. https://github.com/clerk/javascript/releases/tag/%40clerk%2Fnextjs%404.29.3

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.