Описание
@clerk/nextjs auth() and getAuth() methods vulnerable to insecure direct object reference (IDOR)
Impact
Unauthorized access or privilege escalation due to a logic flaw in auth() in the App Router or getAuth() in the Pages Router.
Affected Versions
All applications that that use @clerk/nextjs versions in the range of >= 4.7.0,< 4.29.3 in a Next.js backend to authenticate API Routes, App Router, or Route handlers. Specifically, those that call auth() in the App Router or getAuth() in the Pages Router. Only the @clerk/nextjs SDK is impacted. Other SDKs, including other Javascript-based SDKs, are not impacted.
Patches
Fix included in @clerk/nextjs@4.29.3.
References
Пакеты
@clerk/nextjs
>= 4.7.0, < 4.29.3
4.29.3
Связанные уязвимости
Clerk helps developers build user management. Unauthorized access or privilege escalation due to a logic flaw in auth() in the App Router or getAuth() in the Pages Router. This vulnerability was patched in version 4.29.3.