CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
28.6%
Unauthorized access or privilege escalation due to a logic flaw in auth()
in the App Router or getAuth()
in the Pages Router.
All applications that that use @clerk/nextjs
versions in the range of >= 4.7.0
,< 4.29.3
in a Next.js backend to authenticate API Routes, App Router, or Route handlers. Specifically, those that call auth()
in the App Router or getAuth()
in the Pages Router. Only the @clerk/nextjs
SDK is impacted. Other SDKs, including other Javascript-based SDKs, are not impacted.
Fix included in @clerk/[email protected]
.
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AI Score
Confidence
High
EPSS
Percentile
28.6%