PT-2024-19274 · Next.Js+2 · Next.Js+2

Sokratisvidros

Published

2024-01-12

Updated

2024-01-22

CVE-2024-22206

CVSS v3.1

9.0

Critical

Vector

AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions Clerk versions prior to 4.29.3

Description The issue is related to unauthorized access or privilege escalation due to a logic flaw in the auth() function in the App Router or the getAuth() function in the Pages Router. This flaw affects applications that use the @clerk/nextjs SDK in a Next.js backend to authenticate API Routes, App Router, or Route handlers.

Recommendations For versions prior to 4.29.3, update to version 4.29.3 to resolve the issue. As a temporary workaround, consider disabling the auth() function in the App Router or the getAuth() function in the Pages Router until the patch is applied. Restrict access to the affected API Routes, App Router, or Route handlers to minimize the risk of exploitation.

Exploit

Fix

Improper Access Control

Improper Authentication

IDOR

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-284CWE-287CWE-639

Related Identifiers

CVE-2024-22206

GHSA-Q6W5-JG5Q-47VG

Affected Products

@Clerk/Nextjs

Clerk

Next.Js

PT-2024-19274 · Next.Js+2 · Next.Js+2

CVE-2024-22206

Weakness Enumeration

Related Identifiers

Affected Products

References · 12