@clerk/nextjs auth() and getAuth() methods vulnerable to insecure direct object reference (IDOR)
Description
Published by the National Vulnerability Database
Jan 12, 2024
Published to the GitHub Advisory Database
Jan 12, 2024
Reviewed
Jan 12, 2024
Last updated
Jan 15, 2024
Impact
Unauthorized access or privilege escalation due to a logic flaw in
auth()
in the App Router orgetAuth()
in the Pages Router.Affected Versions
All applications that that use
@clerk/nextjs
versions in the range of>= 4.7.0
,< 4.29.3
in a Next.js backend to authenticate API Routes, App Router, or Route handlers. Specifically, those that callauth()
in the App Router orgetAuth()
in the Pages Router. Only the@clerk/nextjs
SDK is impacted. Other SDKs, including other Javascript-based SDKs, are not impacted.Patches
Fix included in
@clerk/nextjs@4.29.3
.References
References