Critical security vulnerability in @clerk/nextjs

The Clerk team recently identified and patched a critical security vulnerability in the @clerk/nextjs SDK that allows malicious actors to gain privileged access or act-on-behalf-of other users.

If you use @clerk/nextjs, please upgrade immediately to 4.29.3

In addition to releasing this patch, we have collaborated with a number of cloud providers to mitigate attacks at the network layer. Below, you will find details about these mitigations, as well as additional details about the vulnerability, and our plans to prevent future reoccurrence.

Proactive network layer mitigation

Upon discovery of the vulnerability, we immediately recognized its severity and reached out to cloud infrastructure providers for help protecting our customers’ applications.

We are pleased to share that Vercel, Netlify, and Cloudflare have deployed mitigations at the network layer. Applications using these providers are already protected. We are incredibly grateful for their fast response and close collaboration to reach the best possible resolution.

It is important to understand that these mitigations are not permanent, and should not be seen as a substitute for immediately upgrading your SDK.

Additional details

• The vulnerability was discovered on Tuesday, January 9 during an internal audit.
• The vulnerability impacts @clerk/nextjs version 4.7.0 to 4.29.2.
• The vulnerability impacts applications that use a Next.js backend. Specifically, those that call auth() in the App Router, or getAuth() in the Pages Router.
• Applications that only use Next.js for its frontend and middleware functionality are not impacted.
• Only the @clerk/nextjs SDK is impacted. Other SDKs, including other Javascript-based SDKs, are not impacted.
• While we are not aware of any exploit, we unfortunately cannot be sure without access to the server’s logs. Detailed instructions for inspecting logs for an attack will be made available to impacted customers who request them, but will not be published publicly. Please email security@clerk.dev if you would like those instructions.
• For the avoidance of doubt, the vulnerability does not grant unauthorized access to Clerk's systems.

Preventing reoccurrence

Security is Clerk’s most important responsibility, and we are continually improving our processes to ensure your application and your users remain safe.

Along with releasing this patch, we have already updated our internal test suites to ensure this particular vulnerability will not be introduced again, or into any other Clerk framework SDK.

In the coming weeks, we will conduct a full post-mortem, which we expect to generate additional preventive measures.

These steps are in addition to our regular independent security audits of our codebase, regular penetration testing, and the continual reports we receive from external security researchers. If you believe you have found a security vulnerability, please report it to us through our vulnerability disclosure program.

Additional support is available

If you have questions or concerns, please do not hesitate to reach out to security@clerk.dev.