平台
nextjs
组件
@clerk/nextjs
修复版本
4.7.1
CVE-2024-22206 describes a critical authentication bypass vulnerability discovered in Clerk Next.js, a user management solution for developers. This flaw allows attackers to potentially gain unauthorized access or escalate privileges within applications utilizing Clerk's authentication mechanisms. The vulnerability impacts versions 4.7.0 up to, but not including, 4.29.3, and a patch is available in version 4.29.3.
The core impact of CVE-2024-22206 lies in its ability to bypass authentication controls. An attacker exploiting this vulnerability could potentially access sensitive user data, perform actions on behalf of other users without authorization, or even gain administrative access to the application. The severity stems from the ease of exploitation and the potential for widespread impact across applications relying on Clerk's authentication services. This bypass is due to a logic flaw in the auth() function within the App Router or the getAuth() function in the Pages Router, allowing manipulation of the authentication state.
CVE-2024-22206 was publicly disclosed on January 12, 2024. While no active exploitation campaigns have been publicly reported, the vulnerability's critical severity and ease of exploitation suggest a high probability of exploitation. No public proof-of-concept (PoC) code has been released as of this writing, but the vulnerability's nature makes it likely that PoCs will emerge. The vulnerability has not been added to the CISA KEV catalog.
Applications built with Clerk Next.js and utilizing the App Router or Pages Router for authentication are at risk. This includes projects relying on Clerk's authentication services for user management, particularly those using versions 4.7.0 through 4.29.2. Shared hosting environments where Clerk Next.js is deployed could be particularly vulnerable if multiple applications share the same instance.
• nextjs / server:
# Check Clerk Next.js version
npm list clerk• generic web:
# Inspect application logs for unusual authentication patterns or unauthorized access attempts.
grep -i 'auth bypass' /var/log/nginx/error.logdisclosure
漏洞利用状态
EPSS
0.26% (50% 百分位)
CVSS 向量
The primary mitigation for CVE-2024-22206 is to immediately upgrade Clerk Next.js to version 4.29.3 or later. If upgrading is not immediately feasible due to compatibility concerns or breaking changes, consider implementing stricter input validation and access controls within your application's code to limit the potential damage from unauthorized access. While a direct workaround isn't available, carefully reviewing and hardening authentication logic can provide a temporary layer of defense. After upgrading, confirm the fix by attempting to reproduce the authentication bypass scenario and verifying that it is no longer possible.
将 @clerk/nextjs 库升级到 4.29.3 或更高版本。这修复了 auth() 和 getAuth() 方法中的 IDOR 漏洞。执行 `npm install @clerk/nextjs@latest` 或 `yarn add @clerk/nextjs@latest` 进行升级。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2024-22206 is a critical vulnerability in Clerk Next.js allowing attackers to bypass authentication and potentially gain unauthorized access or escalate privileges.
Yes, if you are using Clerk Next.js versions 4.7.0 through 4.29.2, you are affected by this vulnerability.
Upgrade Clerk Next.js to version 4.29.3 or later to remediate the vulnerability. Consider stricter input validation as a temporary measure if upgrading is not immediately possible.
While no active exploitation campaigns have been publicly reported, the vulnerability's severity and ease of exploitation suggest a high probability of exploitation.
Refer to the official Clerk security advisory for detailed information and updates: [https://www.clerk.com/blog/security-update-cve-2024-22206](https://www.clerk.com/blog/security-update-cve-2024-22206)
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。