Impact
Unauthorized access or privilege escalation due to a logic flaw in auth() in the App Router or getAuth() in the Pages Router.
Affected Versions
All applications that that use @clerk/nextjs versions in the range of >= 4.7.0,< 4.29.3 in a Next.js backend to authenticate API Routes, App Router, or Route handlers. Specifically, those that call auth() in the App Router or getAuth() in the Pages Router. Only the @clerk/nextjs SDK is impacted. Other SDKs, including other Javascript-based SDKs, are not impacted.
Patches
Fix included in @clerk/nextjs@4.29.3.
References
nikosdouvlis Remediation developer
SokratisVidros Reporter
colinclerk Coordinator
agis Remediation developer
braden-clerk Coordinator
BRKalow Remediation developer
Impact
Unauthorized access or privilege escalation due to a logic flaw in
auth()in the App Router orgetAuth()in the Pages Router.Affected Versions
All applications that that use
@clerk/nextjsversions in the range of>= 4.7.0,< 4.29.3in a Next.js backend to authenticate API Routes, App Router, or Route handlers. Specifically, those that callauth()in the App Router orgetAuth()in the Pages Router. Only the@clerk/nextjsSDK is impacted. Other SDKs, including other Javascript-based SDKs, are not impacted.Patches
Fix included in
@clerk/nextjs@4.29.3.References