Platform
nextjs
Component
@clerk/nextjs
Fixed in
4.7.1
CVE-2024-22206 describes a critical authentication bypass vulnerability discovered in Clerk Next.js, a user management solution for developers. This flaw allows attackers to potentially gain unauthorized access or escalate privileges within applications utilizing Clerk's authentication mechanisms. The vulnerability impacts versions 4.7.0 up to, but not including, 4.29.3, and a patch is available in version 4.29.3.
The core impact of CVE-2024-22206 lies in its ability to bypass authentication controls. An attacker exploiting this vulnerability could potentially access sensitive user data, perform actions on behalf of other users without authorization, or even gain administrative access to the application. The severity stems from the ease of exploitation and the potential for widespread impact across applications relying on Clerk's authentication services. This bypass is due to a logic flaw in the auth() function within the App Router or the getAuth() function in the Pages Router, allowing manipulation of the authentication state.
CVE-2024-22206 was publicly disclosed on January 12, 2024. While no active exploitation campaigns have been publicly reported, the vulnerability's critical severity and ease of exploitation suggest a high probability of exploitation. No public proof-of-concept (PoC) code has been released as of this writing, but the vulnerability's nature makes it likely that PoCs will emerge. The vulnerability has not been added to the CISA KEV catalog.
Exploit Status
EPSS
0.26% (50% percentile)
CVSS Vector
The primary mitigation for CVE-2024-22206 is to immediately upgrade Clerk Next.js to version 4.29.3 or later. If upgrading is not immediately feasible due to compatibility concerns or breaking changes, consider implementing stricter input validation and access controls within your application's code to limit the potential damage from unauthorized access. While a direct workaround isn't available, carefully reviewing and hardening authentication logic can provide a temporary layer of defense. After upgrading, confirm the fix by attempting to reproduce the authentication bypass scenario and verifying that it is no longer possible.
Update the @clerk/nextjs library to version 4.29.3 or higher. This corrects the IDOR vulnerability in the auth() and getAuth() methods. Run `npm install @clerk/nextjs@latest` or `yarn add @clerk/nextjs@latest` to update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-22206 is a critical vulnerability in Clerk Next.js allowing attackers to bypass authentication and potentially gain unauthorized access or escalate privileges.
Yes, if you are using Clerk Next.js versions 4.7.0 through 4.29.2, you are affected by this vulnerability.
Upgrade Clerk Next.js to version 4.29.3 or later to remediate the vulnerability. Consider stricter input validation as a temporary measure if upgrading is not immediately possible.
While no active exploitation campaigns have been publicly reported, the vulnerability's severity and ease of exploitation suggest a high probability of exploitation.
Refer to the official Clerk security advisory for detailed information and updates: [https://www.clerk.com/blog/security-update-cve-2024-22206](https://www.clerk.com/blog/security-update-cve-2024-22206)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.