CVE-2024-22206: Authorization Bypass Through User-Controlled Key

January 12, 2024

Clerk helps developers build user management. Unauthorized access or privilege escalation due to a logic flaw in auth() in the App Router or getAuth() in the Pages Router. This vulnerability was patched in version 4.29.3.

References

clerk.com/changelog/2024-01-12
github.com/advisories/GHSA-q6w5-jg5q-47vg
github.com/clerk/javascript/releases/tag/%40clerk%2Fnextjs%404.29.3
github.com/clerk/javascript/security/advisories/GHSA-q6w5-jg5q-47vg
nvd.nist.gov/vuln/detail/CVE-2024-22206

Detect and mitigate CVE-2024-22206 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →