Search criteria
9 vulnerabilities found for javascript by clerk
CVE-2026-42349 (GCVE-0-2026-42349)
Vulnerability from nvd – Published: 2026-05-11 16:08 – Updated: 2026-05-14 18:19
VLAI
Title
Clerk: Authorization bypass when combining organization, billing, or reverification checks
Summary
Clerk JavaScript is the official JavaScript repository for Clerk authentication. has(), auth.protect(), and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be false, allowing a gated action to proceed for a user who does not satisfy the full set of requested conditions. This call shape can be bypassed if certain conditions are met: a has() or auth.protect() call that combines a reverification check with any of role, permission, feature, or plan, or that combines a billing check (feature or plan) with a role or permission check. This vulnerability is fixed in @clerk/clerk-js 5.125.10 and 6.7.5.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/clerk/javascript/security/advi… | x_refsource_CONFIRM |
Impacted products
17 products
| Vendor | Product | Version | |
|---|---|---|---|
| clerk | javascript |
Affected:
>= 5.22.0, < 5.125.10
Affected: >= 6.0.0, < 6.7.5 |
|
| @clerk | shared |
Affected:
>= 3.0.0, <= 3.47.4
Affected: >= 4.0.0, <= 4.8.2 |
|
| @clerk | backend |
Affected:
>= 2.0.0, <= 2.33.2
Affected: >= 3.0.0, <= 3.2.13 |
|
| @clerk | nextjs |
Affected:
>= 6.0.0, <= 6.39.2
Affected: >= 7.0.0, <= 7.2.3 |
|
| @clerk | clerk-react |
Affected:
>= 5.9.0, <= 5.61.5
|
|
| @clerk | react |
Affected:
>= 6.0.0, <= 6.4.2
|
|
| @clerk | vue |
Affected:
>= 1.0.0, <= 1.17.20
Affected: >= 2.0.0, <= 2.0.15 |
|
| @clerk | astro |
Affected:
>= 2.0.0, <= 2.17.10
Affected: >= 3.0.0, <= 3.0.17 |
|
| @clerk | nuxt |
Affected:
>= 1.0.0, <= 1.13.28
Affected: >= 2.0.0, <= 2.2.4 |
|
| @clerk | clerk-expo |
Affected:
>= 2.2.11, <= 2.19.35
|
|
| @clerk | expo |
Affected:
>= 3.0.0, <= 3.2.1
|
|
| @clerk | react-router |
Affected:
>= 0.0.1, <= 2.4.12
Affected: >= 3.0.0, <= 3.1.3 |
|
| @clerk | tanstack-react-start |
Affected:
>= 0.0.1, <= 0.29.10
Affected: >= 1.0.0, <= 1.1.3 |
|
| @clerk | chrome-extension |
Affected:
>= 1.3.5, <= 2.9.14
Affected: >= 3.0.0, <= 3.1.14 |
|
| @clerk | fastify |
Affected:
>= 1.0.42, <= 2.6.30
Affected: >= 3.0.0, <= 3.1.15 |
|
| @clerk | express |
Affected:
>= 0.1.0, <= 1.7.78
Affected: >= 2.0.0, <= 2.1.5 |
|
| @clerk | hono |
Affected:
>= 0.0.2, <= 0.1.15
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42349",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T18:18:41.752602Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T18:19:38.735Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/clerk/javascript/security/advisories/GHSA-w24r-5266-9c3c"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "javascript",
"vendor": "clerk",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.22.0, \u003c 5.125.10"
},
{
"status": "affected",
"version": "\u003e= 6.0.0, \u003c 6.7.5"
}
]
},
{
"product": "shared",
"vendor": "@clerk",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c= 3.47.4"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c= 4.8.2"
}
]
},
{
"product": "backend",
"vendor": "@clerk",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c= 2.33.2"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c= 3.2.13"
}
]
},
{
"product": "nextjs",
"vendor": "@clerk",
"versions": [
{
"status": "affected",
"version": "\u003e= 6.0.0, \u003c= 6.39.2"
},
{
"status": "affected",
"version": "\u003e= 7.0.0, \u003c= 7.2.3"
}
]
},
{
"product": "clerk-react",
"vendor": "@clerk",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.9.0, \u003c= 5.61.5"
}
]
},
{
"product": "react",
"vendor": "@clerk",
"versions": [
{
"status": "affected",
"version": "\u003e= 6.0.0, \u003c= 6.4.2"
}
]
},
{
"product": "vue",
"vendor": "@clerk",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c= 1.17.20"
},
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c= 2.0.15"
}
]
},
{
"product": "astro",
"vendor": "@clerk",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c= 2.17.10"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c= 3.0.17"
}
]
},
{
"product": "nuxt",
"vendor": "@clerk",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c= 1.13.28"
},
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c= 2.2.4"
}
]
},
{
"product": "clerk-expo",
"vendor": "@clerk",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.2.11, \u003c= 2.19.35"
}
]
},
{
"product": "expo",
"vendor": "@clerk",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c= 3.2.1"
}
]
},
{
"product": "react-router",
"vendor": "@clerk",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.0.1, \u003c= 2.4.12"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c= 3.1.3"
}
]
},
{
"product": "tanstack-react-start",
"vendor": "@clerk",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.0.1, \u003c= 0.29.10"
},
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c= 1.1.3"
}
]
},
{
"product": "chrome-extension",
"vendor": "@clerk",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.3.5, \u003c= 2.9.14"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c= 3.1.14"
}
]
},
{
"product": "fastify",
"vendor": "@clerk",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.0.42, \u003c= 2.6.30"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c= 3.1.15"
}
]
},
{
"product": "express",
"vendor": "@clerk",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.1.0, \u003c= 1.7.78"
},
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c= 2.1.5"
}
]
},
{
"product": "hono",
"vendor": "@clerk",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.0.2, \u003c= 0.1.15"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Clerk JavaScript is the official JavaScript repository for Clerk authentication. has(), auth.protect(), and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be false, allowing a gated action to proceed for a user who does not satisfy the full set of requested conditions. This call shape can be bypassed if certain conditions are met: a has() or auth.protect() call that combines a reverification check with any of role, permission, feature, or plan, or that combines a billing check (feature or plan) with a role or permission check. This vulnerability is fixed in @clerk/clerk-js 5.125.10 and 6.7.5."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754: Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T16:08:27.869Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/clerk/javascript/security/advisories/GHSA-w24r-5266-9c3c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/clerk/javascript/security/advisories/GHSA-w24r-5266-9c3c"
}
],
"source": {
"advisory": "GHSA-w24r-5266-9c3c",
"discovery": "UNKNOWN"
},
"title": "Clerk: Authorization bypass when combining organization, billing, or reverification checks"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42349",
"datePublished": "2026-05-11T16:08:27.869Z",
"dateReserved": "2026-04-26T13:26:14.515Z",
"dateUpdated": "2026-05-14T18:19:38.735Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34076 (GCVE-0-2026-34076)
Vulnerability from nvd – Published: 2026-04-01 16:59 – Updated: 2026-04-01 18:00
VLAI
Title
Clerk JavaScript: SSRF in the opt-in clerkFrontendApiProxy feature may leak secret keys to unintended host
Summary
Clerk JavaScript is the official JavaScript repository for Clerk authentication. In @clerk/hono from versions 0.1.0 to before 0.1.5, @clerk/express from versions 2.0.0 to before 2.0.7, @clerk/backend from versions 3.0.0 to before 3.2.3, and @clerk/fastify from versions 3.1.0 to before 3.1.5, the clerkFrontendApiProxy function in @clerk/backend is vulnerable to Server-Side Request Forgery (SSRF). An unauthenticated attacker can craft a request path that causes the proxy to send the application's Clerk-Secret-Key to an attacker-controlled server. This issue has been patched in @clerk/hono version 0.1.5, @clerk/express version 2.0.7, @clerk/backend version 3.2.3, and @clerk/fastify version 3.1.5.
Severity
7.4 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/clerk/javascript/security/advi… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| clerk | javascript |
Affected:
@clerk/hono >= 0.1.0, < 0.1.5
Affected: @clerk/express >= 2.0.0, < 2.0.7 Affected: @clerk/backend >= 3.0.0, < 3.2.3 Affected: @clerk/fastify >= 3.1.0, < 3.1.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34076",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T18:00:15.522839Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T18:00:23.118Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "javascript",
"vendor": "clerk",
"versions": [
{
"status": "affected",
"version": "@clerk/hono \u003e= 0.1.0, \u003c 0.1.5"
},
{
"status": "affected",
"version": "@clerk/express \u003e= 2.0.0, \u003c 2.0.7"
},
{
"status": "affected",
"version": "@clerk/backend \u003e= 3.0.0, \u003c 3.2.3"
},
{
"status": "affected",
"version": "@clerk/fastify \u003e= 3.1.0, \u003c 3.1.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Clerk JavaScript is the official JavaScript repository for Clerk authentication. In @clerk/hono from versions 0.1.0 to before 0.1.5, @clerk/express from versions 2.0.0 to before 2.0.7, @clerk/backend from versions 3.0.0 to before 3.2.3, and @clerk/fastify from versions 3.1.0 to before 3.1.5, the clerkFrontendApiProxy function in @clerk/backend is vulnerable to Server-Side Request Forgery (SSRF). An unauthenticated attacker can craft a request path that causes the proxy to send the application\u0027s Clerk-Secret-Key to an attacker-controlled server. This issue has been patched in @clerk/hono version 0.1.5, @clerk/express version 2.0.7, @clerk/backend version 3.2.3, and @clerk/fastify version 3.1.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T16:59:21.828Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/clerk/javascript/security/advisories/GHSA-gjxx-92w9-8v8f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/clerk/javascript/security/advisories/GHSA-gjxx-92w9-8v8f"
}
],
"source": {
"advisory": "GHSA-gjxx-92w9-8v8f",
"discovery": "UNKNOWN"
},
"title": "Clerk JavaScript: SSRF in the opt-in clerkFrontendApiProxy feature may leak secret keys to unintended host"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34076",
"datePublished": "2026-04-01T16:59:21.828Z",
"dateReserved": "2026-03-25T16:21:40.868Z",
"dateUpdated": "2026-04-01T18:00:23.118Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-53548 (GCVE-0-2025-53548)
Vulnerability from nvd – Published: 2025-07-09 17:12 – Updated: 2025-07-09 17:34
VLAI
Title
@clerk/backend Performs Insufficient Verification of Data Authenticity
Summary
Clerk helps developers build user management. Applications that use the verifyWebhook() helper to verify incoming Clerk webhooks are susceptible to accepting improperly signed webhook events. The issue was resolved in @clerk/backend 2.4.0.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-345 - Insufficient Verification of Data Authenticity
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/clerk/javascript/security/advi… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| clerk | javascript |
Affected:
< 2.4.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53548",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-09T17:34:18.708328Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-09T17:34:36.765Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "javascript",
"vendor": "clerk",
"versions": [
{
"status": "affected",
"version": "\u003c 2.4.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Clerk helps developers build user management. Applications that use the verifyWebhook() helper to verify incoming Clerk webhooks are susceptible to accepting improperly signed webhook events. The issue was resolved in @clerk/backend 2.4.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345: Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-09T17:12:10.483Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/clerk/javascript/security/advisories/GHSA-9mp4-77wg-rwx9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/clerk/javascript/security/advisories/GHSA-9mp4-77wg-rwx9"
}
],
"source": {
"advisory": "GHSA-9mp4-77wg-rwx9",
"discovery": "UNKNOWN"
},
"title": "@clerk/backend Performs Insufficient Verification of Data Authenticity"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-53548",
"datePublished": "2025-07-09T17:12:10.483Z",
"dateReserved": "2025-07-02T15:15:11.516Z",
"dateUpdated": "2025-07-09T17:34:36.765Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-22206 (GCVE-0-2024-22206)
Vulnerability from nvd – Published: 2024-01-12 20:07 – Updated: 2024-11-14 15:42
VLAI
Title
@clerk/nextjs auth() and getAuth() methods vulnerable to insecure direct object reference (IDOR)
Summary
Clerk helps developers build user management. Unauthorized access or privilege escalation due to a logic flaw in auth() in the App Router or getAuth() in the Pages Router. This vulnerability was patched in version 4.29.3.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/clerk/javascript/security/advi… | x_refsource_CONFIRM |
| https://clerk.com/changelog/2024-01-12 | x_refsource_MISC |
| https://github.com/clerk/javascript/releases/tag/… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| clerk | javascript |
Affected:
>= 4.7.0, < 4.29.3
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:35:34.930Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/clerk/javascript/security/advisories/GHSA-q6w5-jg5q-47vg",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/clerk/javascript/security/advisories/GHSA-q6w5-jg5q-47vg"
},
{
"name": "https://clerk.com/changelog/2024-01-12",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://clerk.com/changelog/2024-01-12"
},
{
"name": "https://github.com/clerk/javascript/releases/tag/%40clerk%2Fnextjs%404.29.3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/clerk/javascript/releases/tag/%40clerk%2Fnextjs%404.29.3"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-22206",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-14T15:42:26.578504Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T15:42:39.402Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "javascript",
"vendor": "clerk",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.7.0, \u003c 4.29.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Clerk helps developers build user management. Unauthorized access or privilege escalation due to a logic flaw in auth() in the App Router or getAuth() in the Pages Router. This vulnerability was patched in version 4.29.3.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-12T20:07:40.402Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/clerk/javascript/security/advisories/GHSA-q6w5-jg5q-47vg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/clerk/javascript/security/advisories/GHSA-q6w5-jg5q-47vg"
},
{
"name": "https://clerk.com/changelog/2024-01-12",
"tags": [
"x_refsource_MISC"
],
"url": "https://clerk.com/changelog/2024-01-12"
},
{
"name": "https://github.com/clerk/javascript/releases/tag/%40clerk%2Fnextjs%404.29.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/clerk/javascript/releases/tag/%40clerk%2Fnextjs%404.29.3"
}
],
"source": {
"advisory": "GHSA-q6w5-jg5q-47vg",
"discovery": "UNKNOWN"
},
"title": "@clerk/nextjs auth() and getAuth() methods vulnerable to insecure direct object reference (IDOR)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-22206",
"datePublished": "2024-01-12T20:07:40.402Z",
"dateReserved": "2024-01-08T04:59:27.373Z",
"dateUpdated": "2024-11-14T15:42:39.402Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-42349 (GCVE-0-2026-42349)
Vulnerability from cvelistv5 – Published: 2026-05-11 16:08 – Updated: 2026-05-14 18:19
VLAI
Title
Clerk: Authorization bypass when combining organization, billing, or reverification checks
Summary
Clerk JavaScript is the official JavaScript repository for Clerk authentication. has(), auth.protect(), and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be false, allowing a gated action to proceed for a user who does not satisfy the full set of requested conditions. This call shape can be bypassed if certain conditions are met: a has() or auth.protect() call that combines a reverification check with any of role, permission, feature, or plan, or that combines a billing check (feature or plan) with a role or permission check. This vulnerability is fixed in @clerk/clerk-js 5.125.10 and 6.7.5.
Severity
SSVC
Exploitation: poc
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/clerk/javascript/security/advi… | x_refsource_CONFIRM |
Impacted products
17 products
| Vendor | Product | Version | |
|---|---|---|---|
| clerk | javascript |
Affected:
>= 5.22.0, < 5.125.10
Affected: >= 6.0.0, < 6.7.5 |
|
| @clerk | shared |
Affected:
>= 3.0.0, <= 3.47.4
Affected: >= 4.0.0, <= 4.8.2 |
|
| @clerk | backend |
Affected:
>= 2.0.0, <= 2.33.2
Affected: >= 3.0.0, <= 3.2.13 |
|
| @clerk | nextjs |
Affected:
>= 6.0.0, <= 6.39.2
Affected: >= 7.0.0, <= 7.2.3 |
|
| @clerk | clerk-react |
Affected:
>= 5.9.0, <= 5.61.5
|
|
| @clerk | react |
Affected:
>= 6.0.0, <= 6.4.2
|
|
| @clerk | vue |
Affected:
>= 1.0.0, <= 1.17.20
Affected: >= 2.0.0, <= 2.0.15 |
|
| @clerk | astro |
Affected:
>= 2.0.0, <= 2.17.10
Affected: >= 3.0.0, <= 3.0.17 |
|
| @clerk | nuxt |
Affected:
>= 1.0.0, <= 1.13.28
Affected: >= 2.0.0, <= 2.2.4 |
|
| @clerk | clerk-expo |
Affected:
>= 2.2.11, <= 2.19.35
|
|
| @clerk | expo |
Affected:
>= 3.0.0, <= 3.2.1
|
|
| @clerk | react-router |
Affected:
>= 0.0.1, <= 2.4.12
Affected: >= 3.0.0, <= 3.1.3 |
|
| @clerk | tanstack-react-start |
Affected:
>= 0.0.1, <= 0.29.10
Affected: >= 1.0.0, <= 1.1.3 |
|
| @clerk | chrome-extension |
Affected:
>= 1.3.5, <= 2.9.14
Affected: >= 3.0.0, <= 3.1.14 |
|
| @clerk | fastify |
Affected:
>= 1.0.42, <= 2.6.30
Affected: >= 3.0.0, <= 3.1.15 |
|
| @clerk | express |
Affected:
>= 0.1.0, <= 1.7.78
Affected: >= 2.0.0, <= 2.1.5 |
|
| @clerk | hono |
Affected:
>= 0.0.2, <= 0.1.15
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-42349",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-14T18:18:41.752602Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-14T18:19:38.735Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/clerk/javascript/security/advisories/GHSA-w24r-5266-9c3c"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "javascript",
"vendor": "clerk",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.22.0, \u003c 5.125.10"
},
{
"status": "affected",
"version": "\u003e= 6.0.0, \u003c 6.7.5"
}
]
},
{
"product": "shared",
"vendor": "@clerk",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c= 3.47.4"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c= 4.8.2"
}
]
},
{
"product": "backend",
"vendor": "@clerk",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c= 2.33.2"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c= 3.2.13"
}
]
},
{
"product": "nextjs",
"vendor": "@clerk",
"versions": [
{
"status": "affected",
"version": "\u003e= 6.0.0, \u003c= 6.39.2"
},
{
"status": "affected",
"version": "\u003e= 7.0.0, \u003c= 7.2.3"
}
]
},
{
"product": "clerk-react",
"vendor": "@clerk",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.9.0, \u003c= 5.61.5"
}
]
},
{
"product": "react",
"vendor": "@clerk",
"versions": [
{
"status": "affected",
"version": "\u003e= 6.0.0, \u003c= 6.4.2"
}
]
},
{
"product": "vue",
"vendor": "@clerk",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c= 1.17.20"
},
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c= 2.0.15"
}
]
},
{
"product": "astro",
"vendor": "@clerk",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c= 2.17.10"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c= 3.0.17"
}
]
},
{
"product": "nuxt",
"vendor": "@clerk",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c= 1.13.28"
},
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c= 2.2.4"
}
]
},
{
"product": "clerk-expo",
"vendor": "@clerk",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.2.11, \u003c= 2.19.35"
}
]
},
{
"product": "expo",
"vendor": "@clerk",
"versions": [
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c= 3.2.1"
}
]
},
{
"product": "react-router",
"vendor": "@clerk",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.0.1, \u003c= 2.4.12"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c= 3.1.3"
}
]
},
{
"product": "tanstack-react-start",
"vendor": "@clerk",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.0.1, \u003c= 0.29.10"
},
{
"status": "affected",
"version": "\u003e= 1.0.0, \u003c= 1.1.3"
}
]
},
{
"product": "chrome-extension",
"vendor": "@clerk",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.3.5, \u003c= 2.9.14"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c= 3.1.14"
}
]
},
{
"product": "fastify",
"vendor": "@clerk",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.0.42, \u003c= 2.6.30"
},
{
"status": "affected",
"version": "\u003e= 3.0.0, \u003c= 3.1.15"
}
]
},
{
"product": "express",
"vendor": "@clerk",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.1.0, \u003c= 1.7.78"
},
{
"status": "affected",
"version": "\u003e= 2.0.0, \u003c= 2.1.5"
}
]
},
{
"product": "hono",
"vendor": "@clerk",
"versions": [
{
"status": "affected",
"version": "\u003e= 0.0.2, \u003c= 0.1.15"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Clerk JavaScript is the official JavaScript repository for Clerk authentication. has(), auth.protect(), and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be false, allowing a gated action to proceed for a user who does not satisfy the full set of requested conditions. This call shape can be bypassed if certain conditions are met: a has() or auth.protect() call that combines a reverification check with any of role, permission, feature, or plan, or that combines a billing check (feature or plan) with a role or permission check. This vulnerability is fixed in @clerk/clerk-js 5.125.10 and 6.7.5."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-754",
"description": "CWE-754: Improper Check for Unusual or Exceptional Conditions",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T16:08:27.869Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/clerk/javascript/security/advisories/GHSA-w24r-5266-9c3c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/clerk/javascript/security/advisories/GHSA-w24r-5266-9c3c"
}
],
"source": {
"advisory": "GHSA-w24r-5266-9c3c",
"discovery": "UNKNOWN"
},
"title": "Clerk: Authorization bypass when combining organization, billing, or reverification checks"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-42349",
"datePublished": "2026-05-11T16:08:27.869Z",
"dateReserved": "2026-04-26T13:26:14.515Z",
"dateUpdated": "2026-05-14T18:19:38.735Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34076 (GCVE-0-2026-34076)
Vulnerability from cvelistv5 – Published: 2026-04-01 16:59 – Updated: 2026-04-01 18:00
VLAI
Title
Clerk JavaScript: SSRF in the opt-in clerkFrontendApiProxy feature may leak secret keys to unintended host
Summary
Clerk JavaScript is the official JavaScript repository for Clerk authentication. In @clerk/hono from versions 0.1.0 to before 0.1.5, @clerk/express from versions 2.0.0 to before 2.0.7, @clerk/backend from versions 3.0.0 to before 3.2.3, and @clerk/fastify from versions 3.1.0 to before 3.1.5, the clerkFrontendApiProxy function in @clerk/backend is vulnerable to Server-Side Request Forgery (SSRF). An unauthenticated attacker can craft a request path that causes the proxy to send the application's Clerk-Secret-Key to an attacker-controlled server. This issue has been patched in @clerk/hono version 0.1.5, @clerk/express version 2.0.7, @clerk/backend version 3.2.3, and @clerk/fastify version 3.1.5.
Severity
7.4 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/clerk/javascript/security/advi… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| clerk | javascript |
Affected:
@clerk/hono >= 0.1.0, < 0.1.5
Affected: @clerk/express >= 2.0.0, < 2.0.7 Affected: @clerk/backend >= 3.0.0, < 3.2.3 Affected: @clerk/fastify >= 3.1.0, < 3.1.5 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34076",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T18:00:15.522839Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T18:00:23.118Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "javascript",
"vendor": "clerk",
"versions": [
{
"status": "affected",
"version": "@clerk/hono \u003e= 0.1.0, \u003c 0.1.5"
},
{
"status": "affected",
"version": "@clerk/express \u003e= 2.0.0, \u003c 2.0.7"
},
{
"status": "affected",
"version": "@clerk/backend \u003e= 3.0.0, \u003c 3.2.3"
},
{
"status": "affected",
"version": "@clerk/fastify \u003e= 3.1.0, \u003c 3.1.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Clerk JavaScript is the official JavaScript repository for Clerk authentication. In @clerk/hono from versions 0.1.0 to before 0.1.5, @clerk/express from versions 2.0.0 to before 2.0.7, @clerk/backend from versions 3.0.0 to before 3.2.3, and @clerk/fastify from versions 3.1.0 to before 3.1.5, the clerkFrontendApiProxy function in @clerk/backend is vulnerable to Server-Side Request Forgery (SSRF). An unauthenticated attacker can craft a request path that causes the proxy to send the application\u0027s Clerk-Secret-Key to an attacker-controlled server. This issue has been patched in @clerk/hono version 0.1.5, @clerk/express version 2.0.7, @clerk/backend version 3.2.3, and @clerk/fastify version 3.1.5."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T16:59:21.828Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/clerk/javascript/security/advisories/GHSA-gjxx-92w9-8v8f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/clerk/javascript/security/advisories/GHSA-gjxx-92w9-8v8f"
}
],
"source": {
"advisory": "GHSA-gjxx-92w9-8v8f",
"discovery": "UNKNOWN"
},
"title": "Clerk JavaScript: SSRF in the opt-in clerkFrontendApiProxy feature may leak secret keys to unintended host"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34076",
"datePublished": "2026-04-01T16:59:21.828Z",
"dateReserved": "2026-03-25T16:21:40.868Z",
"dateUpdated": "2026-04-01T18:00:23.118Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-53548 (GCVE-0-2025-53548)
Vulnerability from cvelistv5 – Published: 2025-07-09 17:12 – Updated: 2025-07-09 17:34
VLAI
Title
@clerk/backend Performs Insufficient Verification of Data Authenticity
Summary
Clerk helps developers build user management. Applications that use the verifyWebhook() helper to verify incoming Clerk webhooks are susceptible to accepting improperly signed webhook events. The issue was resolved in @clerk/backend 2.4.0.
Severity
7.5 (High)
SSVC
Exploitation: none
Automatable: yes
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-345 - Insufficient Verification of Data Authenticity
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/clerk/javascript/security/advi… | x_refsource_CONFIRM |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| clerk | javascript |
Affected:
< 2.4.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-53548",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-09T17:34:18.708328Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-09T17:34:36.765Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "javascript",
"vendor": "clerk",
"versions": [
{
"status": "affected",
"version": "\u003c 2.4.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Clerk helps developers build user management. Applications that use the verifyWebhook() helper to verify incoming Clerk webhooks are susceptible to accepting improperly signed webhook events. The issue was resolved in @clerk/backend 2.4.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-345",
"description": "CWE-345: Insufficient Verification of Data Authenticity",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-09T17:12:10.483Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/clerk/javascript/security/advisories/GHSA-9mp4-77wg-rwx9",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/clerk/javascript/security/advisories/GHSA-9mp4-77wg-rwx9"
}
],
"source": {
"advisory": "GHSA-9mp4-77wg-rwx9",
"discovery": "UNKNOWN"
},
"title": "@clerk/backend Performs Insufficient Verification of Data Authenticity"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-53548",
"datePublished": "2025-07-09T17:12:10.483Z",
"dateReserved": "2025-07-02T15:15:11.516Z",
"dateUpdated": "2025-07-09T17:34:36.765Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-22206 (GCVE-0-2024-22206)
Vulnerability from cvelistv5 – Published: 2024-01-12 20:07 – Updated: 2024-11-14 15:42
VLAI
Title
@clerk/nextjs auth() and getAuth() methods vulnerable to insecure direct object reference (IDOR)
Summary
Clerk helps developers build user management. Unauthorized access or privilege escalation due to a logic flaw in auth() in the App Router or getAuth() in the Pages Router. This vulnerability was patched in version 4.29.3.
Severity
9.1 (Critical)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/clerk/javascript/security/advi… | x_refsource_CONFIRM |
| https://clerk.com/changelog/2024-01-12 | x_refsource_MISC |
| https://github.com/clerk/javascript/releases/tag/… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| clerk | javascript |
Affected:
>= 4.7.0, < 4.29.3
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-01T22:35:34.930Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "https://github.com/clerk/javascript/security/advisories/GHSA-q6w5-jg5q-47vg",
"tags": [
"x_refsource_CONFIRM",
"x_transferred"
],
"url": "https://github.com/clerk/javascript/security/advisories/GHSA-q6w5-jg5q-47vg"
},
{
"name": "https://clerk.com/changelog/2024-01-12",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://clerk.com/changelog/2024-01-12"
},
{
"name": "https://github.com/clerk/javascript/releases/tag/%40clerk%2Fnextjs%404.29.3",
"tags": [
"x_refsource_MISC",
"x_transferred"
],
"url": "https://github.com/clerk/javascript/releases/tag/%40clerk%2Fnextjs%404.29.3"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-22206",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-11-14T15:42:26.578504Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2024-11-14T15:42:39.402Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "javascript",
"vendor": "clerk",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.7.0, \u003c 4.29.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Clerk helps developers build user management. Unauthorized access or privilege escalation due to a logic flaw in auth() in the App Router or getAuth() in the Pages Router. This vulnerability was patched in version 4.29.3.\n"
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.1,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-287",
"description": "CWE-287: Improper Authentication",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-01-12T20:07:40.402Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/clerk/javascript/security/advisories/GHSA-q6w5-jg5q-47vg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/clerk/javascript/security/advisories/GHSA-q6w5-jg5q-47vg"
},
{
"name": "https://clerk.com/changelog/2024-01-12",
"tags": [
"x_refsource_MISC"
],
"url": "https://clerk.com/changelog/2024-01-12"
},
{
"name": "https://github.com/clerk/javascript/releases/tag/%40clerk%2Fnextjs%404.29.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/clerk/javascript/releases/tag/%40clerk%2Fnextjs%404.29.3"
}
],
"source": {
"advisory": "GHSA-q6w5-jg5q-47vg",
"discovery": "UNKNOWN"
},
"title": "@clerk/nextjs auth() and getAuth() methods vulnerable to insecure direct object reference (IDOR)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-22206",
"datePublished": "2024-01-12T20:07:40.402Z",
"dateReserved": "2024-01-08T04:59:27.373Z",
"dateUpdated": "2024-11-14T15:42:39.402Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
FKIE_CVE-2024-22206
Vulnerability from fkie_nvd - Published: 2024-01-12 20:15 - Updated: 2024-11-21 08:55
Severity
9.0 (Critical) - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
9.8 (Critical) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Summary
Clerk helps developers build user management. Unauthorized access or privilege escalation due to a logic flaw in auth() in the App Router or getAuth() in the Pages Router. This vulnerability was patched in version 4.29.3.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://clerk.com/changelog/2024-01-12 | Release Notes, Vendor Advisory | |
| security-advisories@github.com | https://github.com/clerk/javascript/releases/tag/%40clerk%2Fnextjs%404.29.3 | Patch, Release Notes | |
| security-advisories@github.com | https://github.com/clerk/javascript/security/advisories/GHSA-q6w5-jg5q-47vg | Patch, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://clerk.com/changelog/2024-01-12 | Release Notes, Vendor Advisory | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/clerk/javascript/releases/tag/%40clerk%2Fnextjs%404.29.3 | Patch, Release Notes | |
| af854a3a-2127-422b-91ae-364da2661108 | https://github.com/clerk/javascript/security/advisories/GHSA-q6w5-jg5q-47vg | Patch, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| clerk | javascript | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:clerk:javascript:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "750A6387-63D6-4EB8-825D-D77873BC36CC",
"versionEndExcluding": "4.29.3",
"versionStartIncluding": "4.7.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "Clerk helps developers build user management. Unauthorized access or privilege escalation due to a logic flaw in auth() in the App Router or getAuth() in the Pages Router. This vulnerability was patched in version 4.29.3.\n"
},
{
"lang": "es",
"value": "Clerk ayuda a los desarrolladores a crear gesti\u00f3n de usuarios. Acceso no autorizado o escalada de privilegios debido a un fallo l\u00f3gico en auth() en App Router o getAuth() en Pages Router. Esta vulnerabilidad fue parcheada en la versi\u00f3n 4.29.3."
}
],
"id": "CVE-2024-22206",
"lastModified": "2024-11-21T08:55:47.860",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.0,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 2.2,
"impactScore": 6.0,
"source": "security-advisories@github.com",
"type": "Secondary"
},
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 5.9,
"source": "nvd@nist.gov",
"type": "Primary"
}
]
},
"published": "2024-01-12T20:15:47.420",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://clerk.com/changelog/2024-01-12"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Release Notes"
],
"url": "https://github.com/clerk/javascript/releases/tag/%40clerk%2Fnextjs%404.29.3"
},
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/clerk/javascript/security/advisories/GHSA-q6w5-jg5q-47vg"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Release Notes",
"Vendor Advisory"
],
"url": "https://clerk.com/changelog/2024-01-12"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Release Notes"
],
"url": "https://github.com/clerk/javascript/releases/tag/%40clerk%2Fnextjs%404.29.3"
},
{
"source": "af854a3a-2127-422b-91ae-364da2661108",
"tags": [
"Patch",
"Vendor Advisory"
],
"url": "https://github.com/clerk/javascript/security/advisories/GHSA-q6w5-jg5q-47vg"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Modified",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-284"
},
{
"lang": "en",
"value": "CWE-287"
},
{
"lang": "en",
"value": "CWE-639"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}