Headline
GHSA-q6w5-jg5q-47vg: @clerk/nextjs auth() and getAuth() methods vulnerable to insecure direct object reference (IDOR)
Impact
Unauthorized access or privilege escalation due to a logic flaw in auth() in the App Router or getAuth() in the Pages Router.
Affected Versions
All applications that that use @clerk/nextjs versions in the range of >= 4.7.0,< 4.29.3 in a Next.js backend to authenticate API Routes, App Router, or Route handlers. Specifically, those that call auth() in the App Router or getAuth() in the Pages Router. Only the @clerk/nextjs SDK is impacted. Other SDKs, including other Javascript-based SDKs, are not impacted.
Patches
Fix included in @clerk/[email protected].
References
- https://clerk.com/changelog/2024-01-12
- https://github.com/clerk/javascript/releases/tag/%40clerk%2Fnextjs%404.29.3
Package
npm @clerk/nextjs (npm)
Affected versions
>= 4.7.0, < 4.29.3
Patched versions
4.29.3
Description
Impact
Unauthorized access or privilege escalation due to a logic flaw in auth() in the App Router or getAuth() in the Pages Router.
Affected Versions
All applications that that use @clerk/nextjs versions in the range of >= 4.7.0,< 4.29.3 in a Next.js backend to authenticate API Routes, App Router, or Route handlers. Specifically, those that call auth() in the App Router or getAuth() in the Pages Router. Only the @clerk/nextjs SDK is impacted. Other SDKs, including other Javascript-based SDKs, are not impacted.
Patches
Fix included in @clerk/[email protected].
References
- https://clerk.com/changelog/2024-01-12
- https://github.com/clerk/javascript/releases/tag/%40clerk%2Fnextjs%404.29.3
References
- GHSA-q6w5-jg5q-47vg
- https://clerk.com/changelog/2024-01-12
- https://github.com/clerk/javascript/releases/tag/%40clerk%2Fnextjs%404.29.3
zythosec published to clerk/javascript
Jan 12, 2024
Published to the GitHub Advisory Database
Jan 12, 2024
Reviewed
Jan 12, 2024
Last updated
Jan 12, 2024