ghsa-9mp4-77wg-rwx9
Vulnerability from github
Published
2025-07-09 18:07
Modified
2025-07-09 20:15
Severity ?
VLAI Severity ?
Summary
@clerk/backend Performs Insufficient Verification of Data Authenticity
Details
Impact
Applications that use the verifyWebhook() helper to verify incoming Clerk webhooks are susceptible to accepting improperly signed webhook events.
Patches
@clerk/backend: the helper has been patched as of2.4.0@clerk/astro: the helper has been patched as of2.10.2@clerk/express: the helper has been patched as of1.7.4@clerk/fastify: the helper has been patched as of2.4.4@clerk/nextjs: the helper has been patched as of6.23.3@clerk/nuxt: the helper has been patched as of1.7.5@clerk/react-router: the helper has been patched as of1.6.4@clerk/remix: the helper has been patched as of4.8.5@clerk/tanstack-react-start: the helper has been patched as of0.18.3
Resolution
The issue was resolved in @clerk/backend 2.4.0 by:
- Properly parsing the webhook request's signatures and comparing them against the signature generated from the received event
Workarounds
If unable to upgrade, developers can workaround this issue by verifying webhooks manually, per this documentation.
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@clerk/backend"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.4.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@clerk/astro"
},
"ranges": [
{
"events": [
{
"introduced": "2.9.0"
},
{
"fixed": "2.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@clerk/express"
},
"ranges": [
{
"events": [
{
"introduced": "1.6.0"
},
{
"fixed": "1.7.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@clerk/fastify"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.4.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@clerk/nextjs"
},
"ranges": [
{
"events": [
{
"introduced": "6.2.10"
},
{
"fixed": "6.23.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@clerk/nuxt"
},
"ranges": [
{
"events": [
{
"introduced": "1.7.0"
},
{
"fixed": "1.7.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@clerk/react-router"
},
"ranges": [
{
"events": [
{
"introduced": "1.5.0"
},
{
"fixed": "1.6.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@clerk/remix"
},
"ranges": [
{
"events": [
{
"introduced": "4.8.0"
},
{
"fixed": "4.8.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@clerk/tanstack-react-start"
},
"ranges": [
{
"events": [
{
"introduced": "0.16.0"
},
{
"fixed": "0.18.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-53548"
],
"database_specific": {
"cwe_ids": [
"CWE-345"
],
"github_reviewed": true,
"github_reviewed_at": "2025-07-09T18:07:40Z",
"nvd_published_at": "2025-07-09T18:15:24Z",
"severity": "HIGH"
},
"details": "### Impact\n\nApplications that use the `verifyWebhook()` helper to verify incoming Clerk webhooks are susceptible to accepting improperly signed webhook events.\n\n### Patches\n\n* `@clerk/backend`: the helper has been patched as of `2.4.0`\n* `@clerk/astro`: the helper has been patched as of `2.10.2`\n* `@clerk/express`: the helper has been patched as of `1.7.4`\n* `@clerk/fastify`: the helper has been patched as of `2.4.4`\n* `@clerk/nextjs`: the helper has been patched as of `6.23.3`\n* `@clerk/nuxt`: the helper has been patched as of `1.7.5`\n* `@clerk/react-router`: the helper has been patched as of `1.6.4`\n* `@clerk/remix`: the helper has been patched as of `4.8.5`\n* `@clerk/tanstack-react-start`: the helper has been patched as of `0.18.3`\n\n### Resolution\n\nThe issue was resolved in **`@clerk/backend` `2.4.0`** by:\n\n* Properly parsing the webhook request\u0027s signatures and comparing them against the signature generated from the received event\n\n### Workarounds\n\nIf unable to upgrade, developers can workaround this issue by verifying webhooks manually, per [this documentation](https://clerk.com/docs/webhooks/overview#protect-your-webhooks-from-abuse).",
"id": "GHSA-9mp4-77wg-rwx9",
"modified": "2025-07-09T20:15:13Z",
"published": "2025-07-09T18:07:40Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/clerk/javascript/security/advisories/GHSA-9mp4-77wg-rwx9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53548"
},
{
"type": "PACKAGE",
"url": "https://github.com/clerk/javascript"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "@clerk/backend Performs Insufficient Verification of Data Authenticity"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
- Confirmed: The vulnerability is confirmed from an analyst perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
- Patched: This vulnerability was successfully patched by the user reporting the sighting.
- Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
- Not confirmed: The user expresses doubt about the veracity of the vulnerability.
- Not patched: This vulnerability was not successfully patched by the user reporting the sighting.
Loading…
Loading…