Incorrect Authorization Affecting @clerk/nextjs package, versions >=6.0.0 <6.39.3>=7.0.0 <7.2.4

@clerk/nextjs is a Clerk SDK for NextJS

Affected versions of this package are vulnerable to Incorrect Authorization through the createProtect and createCheckAuthorization functions. An attacker can gain access to protected pages or handlers by supplying a single auth.protect() or has() call that mixes authorization criteria with redirect/token options, or by combining multiple authorization dimensions where one should deny but is treated as indeterminate.

The vulnerable logic in createProtect can bypass role, permission, feature, plan, or re-verification checks when the same object also includes unauthenticatedUrl, unauthorizedUrl, or token, allowing authenticated callers through without the intended authorization test. In createCheckAuthorization, combined checks across organization, billing, and reverification can return success when one dimension passes, and another lacks valid session data, allowing users to reach admin-only or otherwise restricted functionality and bypass access controls.

Note: From the project maintainers: If you pin @clerk/clerk-js directly, upgrade it to the patched version. Most apps load @clerk/clerk-js from Clerk's CDN through their framework package and will receive the fix automatically, with no upgrade step required.

• Split any combined has() or auth.protect() authorization call into separate single-condition checks, and deny access if either check fails. For example, replace auth.protect({ permission: 'org:X', reverification: 'strict' }) with sequential auth.protect({ reverification: 'strict' }) and auth.protect({ permission: 'org:X' }) calls so each condition is enforced independently, and a missing or unsatisfied dimension cannot be ignored.

• GitHub Commit
• Maintainer's Advisory