CVE-2024-22206
@clerk/nextjs auth() and getAuth() methods vulnerable to insecure direct object reference (IDOR)
Description
### Impact Unauthorized access or privilege escalation due to a logic flaw in `auth()` in the App Router or `getAuth()` in the Pages Router. ### Affected Versions All applications that that use `@clerk/nextjs` versions in the range of `>= 4.7.0`,`< 4.29.3` in a Next.js backend to authenticate API Routes, App Router, or Route handlers. Specifically, those that call `auth()` in the App Router or `getAuth()` in the Pages Router. Only the `@clerk/nextjs` SDK is impacted. Other SDKs, including other Javascript-based SDKs, are not impacted. ### Patches Fix included in `@clerk/[email protected]`. ### References - https://clerk.com/changelog/2024-01-12 - https://github.com/clerk/javascript/releases/tag/%40clerk%2Fnextjs%404.29.3
How to fix CVE-2024-22206
To remediate CVE-2024-22206, upgrade the affected package to a fixed version below.
- —upgrade to 4.29.3 or later
Is CVE-2024-22206 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- >= 4.7.0, < 4.29.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | CRITICAL9.0 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H |