Login Sign Up

CVE-2024-22206

9.0 CRITICAL
Authentication Bypass

📋 TL;DR

CVE-2024-22206 is an authentication bypass vulnerability in Clerk's Next.js integration that allows unauthorized access or privilege escalation due to a logic flaw in auth() and getAuth() functions. This affects applications using Clerk for user management with Next.js App Router or Pages Router. All applications using vulnerable versions are affected.

💻 Affected Systems

Products:
  • @clerk/nextjs
  • Clerk Next.js integration
Versions: Versions before 4.29.3
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Affects both App Router (auth()) and Pages Router (getAuth()) implementations. Requires Clerk authentication integration.

📦 What is this software?

Javascript by Clerk

View all CVEs affecting Javascript →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete account takeover, unauthorized access to protected resources, privilege escalation to admin roles, and potential data exfiltration.

🟠

Likely Case

Unauthorized access to user-specific data and functionality, session hijacking, and privilege escalation within the application.

🟢

If Mitigated

Limited impact with proper network segmentation, additional authentication layers, and monitoring, but authentication bypass still possible.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

The logic flaw suggests straightforward exploitation once understood, though no public exploit code is confirmed.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.29.3

Vendor Advisory: https://github.com/clerk/javascript/security/advisories/GHSA-q6w5-jg5q-47vg

Restart Required: Yes

Instructions:

1. Update @clerk/nextjs to version 4.29.3 or later using npm update @clerk/nextjs or yarn upgrade @clerk/nextjs. 2. Restart your Next.js application server. 3. Verify the update in package.json and test authentication flows.

🔧 Temporary Workarounds

Implement additional authentication checks

all

Add server-side validation of user sessions beyond Clerk's auth functions

🧯 If You Can't Patch

  • Implement network-level access controls to limit exposure of vulnerable endpoints
  • Add additional authentication middleware that validates sessions independently of Clerk's functions

🔍 How to Verify

Check if Vulnerable:

Check package.json for @clerk/nextjs version. If version is below 4.29.3, the system is vulnerable.

Check Version:

npm list @clerk/nextjs or cat package.json | grep @clerk/nextjs

Verify Fix Applied:

Verify @clerk/nextjs version is 4.29.3 or higher in package.json and test authentication flows work correctly.

📡 Detection & Monitoring

Log Indicators:

  • Unexpected authentication successes
  • User accessing resources without proper authentication
  • Multiple failed authentication attempts followed by success without credentials

Network Indicators:

  • Unauthorized API calls to protected endpoints
  • Suspicious session creation patterns

SIEM Query:

source="application_logs" AND ("auth bypass" OR "unauthorized access" OR "privilege escalation")

📊 Metadata

CVE ID: CVE-2024-22206
CVSS v3 Score: 9.0 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
CWE: CWE-284
Published: January 12, 2024
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-22206, you might also want to check these:

CVE-2021-34795 10.0

This critical vulnerability in Cisco Catalyst PON Series Switches ONT web management interface allow...

Same vulnerability type (CWE-284)
CVE-2021-40113 10.0

Multiple vulnerabilities in Cisco Catalyst PON Series Switches ONT web management interface allow un...

Same vulnerability type (CWE-284)
CVE-2026-21636 10.0

A critical vulnerability in Node.js v25's experimental permission model allows attacker-controlled i...

Same vulnerability type (CWE-284)