Vulnerabilities > CVE-2024-22206 - Authorization Bypass Through User-Controlled Key vulnerability in Clerk Javascript

CVSS 9.8 - CRITICAL

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

HIGH

Integrity impact

HIGH

Availability impact

HIGH

network

low complexity

clerk

CWE-639

critical

NVD

Published: 2024-01-12

Updated: 2024-01-22

Summary

Clerk helps developers build user management. Unauthorized access or privilege escalation due to a logic flaw in auth() in the App Router or getAuth() in the Pages Router. This vulnerability was patched in version 4.29.3.

Vulnerable Configurations

Part	Description	Count
Application	Clerk Clerk Javascript *	1

Common Weakness Enumeration (CWE)

CWE-639 - Authorization Bypass Through User-Controlled Key

References

https://github.com/clerk/javascript/security/advisories/GHSA-q6w5-jg5q-47vg
https://clerk.com/changelog/2024-01-12
https://github.com/clerk/javascript/releases/tag/%40clerk%2Fnextjs%404.29.3