Platform
nextjs
Component
@clerk/nextjs
Opgelost in
4.7.1
CVE-2024-22206 describes a critical authentication bypass vulnerability discovered in Clerk Next.js, a user management solution for developers. This flaw allows attackers to potentially gain unauthorized access or escalate privileges within applications utilizing Clerk's authentication mechanisms. The vulnerability impacts versions 4.7.0 up to, but not including, 4.29.3, and a patch is available in version 4.29.3.
The core impact of CVE-2024-22206 lies in its ability to bypass authentication controls. An attacker exploiting this vulnerability could potentially access sensitive user data, perform actions on behalf of other users without authorization, or even gain administrative access to the application. The severity stems from the ease of exploitation and the potential for widespread impact across applications relying on Clerk's authentication services. This bypass is due to a logic flaw in the auth() function within the App Router or the getAuth() function in the Pages Router, allowing manipulation of the authentication state.
CVE-2024-22206 was publicly disclosed on January 12, 2024. While no active exploitation campaigns have been publicly reported, the vulnerability's critical severity and ease of exploitation suggest a high probability of exploitation. No public proof-of-concept (PoC) code has been released as of this writing, but the vulnerability's nature makes it likely that PoCs will emerge. The vulnerability has not been added to the CISA KEV catalog.
Applications built with Clerk Next.js and utilizing the App Router or Pages Router for authentication are at risk. This includes projects relying on Clerk's authentication services for user management, particularly those using versions 4.7.0 through 4.29.2. Shared hosting environments where Clerk Next.js is deployed could be particularly vulnerable if multiple applications share the same instance.
• nextjs / server:
# Check Clerk Next.js version
npm list clerk• generic web:
# Inspect application logs for unusual authentication patterns or unauthorized access attempts.
grep -i 'auth bypass' /var/log/nginx/error.logdisclosure
Exploit Status
EPSS
0.26% (50% percentiel)
CVSS-vector
The primary mitigation for CVE-2024-22206 is to immediately upgrade Clerk Next.js to version 4.29.3 or later. If upgrading is not immediately feasible due to compatibility concerns or breaking changes, consider implementing stricter input validation and access controls within your application's code to limit the potential damage from unauthorized access. While a direct workaround isn't available, carefully reviewing and hardening authentication logic can provide a temporary layer of defense. After upgrading, confirm the fix by attempting to reproduce the authentication bypass scenario and verifying that it is no longer possible.
Werk de @clerk/nextjs bibliotheek bij naar versie 4.29.3 of hoger. Dit corrigeert de IDOR-kwetsbaarheid in de auth() en getAuth() methoden. Voer `npm install @clerk/nextjs@latest` of `yarn add @clerk/nextjs@latest` uit om bij te werken.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2024-22206 is a critical vulnerability in Clerk Next.js allowing attackers to bypass authentication and potentially gain unauthorized access or escalate privileges.
Yes, if you are using Clerk Next.js versions 4.7.0 through 4.29.2, you are affected by this vulnerability.
Upgrade Clerk Next.js to version 4.29.3 or later to remediate the vulnerability. Consider stricter input validation as a temporary measure if upgrading is not immediately possible.
While no active exploitation campaigns have been publicly reported, the vulnerability's severity and ease of exploitation suggest a high probability of exploitation.
Refer to the official Clerk security advisory for detailed information and updates: [https://www.clerk.com/blog/security-update-cve-2024-22206](https://www.clerk.com/blog/security-update-cve-2024-22206)
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.