Vulnerability Database

300,990

Total vulnerabilities in the database

CVE-2024-22206

Clerk helps developers build user management. Unauthorized access or privilege escalation due to a logic flaw in auth() in the App Router or getAuth() in the Pages Router. This vulnerability was patched in version 4.29.3.

Published: Jan 12, 2024
Updated: May 4, 2025
CVE: CVE-2024-22206
GHSA: GHSA-q6w5-jg5q-47vg
Severity: Critical
Exploit:

CVSS v3:

Severity: Critical
Score: 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWEs:

CWE-284
CWE-287
CWE-639

OWASP TOP 10:

A5 - Broken Access Control
A2 - Broken Authentication

Affected Software
References

Software	From	Fixed in
@clerk / nextjs	4.7.0	4.29.3
clerk / javascript	4.7.0	4.29.3

https://clerk.com/changelog/2024-01-12
https://github.com/clerk/javascript/releases/tag/%40clerk%2Fnextjs%404.29.3
https://github.com/clerk/javascript/security/advisories/GHSA-q6w5-jg5q-47vg

Deep Security Visibility Without the Complexity

SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.

No setup fees
5-min deployment
Cancel anytime

Book a Demo