GHSA-9MP4-77WG-RWX9
Vulnerability from github – Published: 2025-07-09 18:07 – Updated: 2025-07-09 20:15
VLAI?
Summary
@clerk/backend Performs Insufficient Verification of Data Authenticity
Details
Impact
Applications that use the verifyWebhook() helper to verify incoming Clerk webhooks are susceptible to accepting improperly signed webhook events.
Patches
@clerk/backend: the helper has been patched as of2.4.0@clerk/astro: the helper has been patched as of2.10.2@clerk/express: the helper has been patched as of1.7.4@clerk/fastify: the helper has been patched as of2.4.4@clerk/nextjs: the helper has been patched as of6.23.3@clerk/nuxt: the helper has been patched as of1.7.5@clerk/react-router: the helper has been patched as of1.6.4@clerk/remix: the helper has been patched as of4.8.5@clerk/tanstack-react-start: the helper has been patched as of0.18.3
Resolution
The issue was resolved in @clerk/backend 2.4.0 by:
- Properly parsing the webhook request's signatures and comparing them against the signature generated from the received event
Workarounds
If unable to upgrade, developers can workaround this issue by verifying webhooks manually, per this documentation.
Severity ?
7.5 (High)
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@clerk/backend"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.4.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@clerk/astro"
},
"ranges": [
{
"events": [
{
"introduced": "2.9.0"
},
{
"fixed": "2.10.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@clerk/express"
},
"ranges": [
{
"events": [
{
"introduced": "1.6.0"
},
{
"fixed": "1.7.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@clerk/fastify"
},
"ranges": [
{
"events": [
{
"introduced": "2.3.0"
},
{
"fixed": "2.4.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@clerk/nextjs"
},
"ranges": [
{
"events": [
{
"introduced": "6.2.10"
},
{
"fixed": "6.23.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@clerk/nuxt"
},
"ranges": [
{
"events": [
{
"introduced": "1.7.0"
},
{
"fixed": "1.7.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@clerk/react-router"
},
"ranges": [
{
"events": [
{
"introduced": "1.5.0"
},
{
"fixed": "1.6.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@clerk/remix"
},
"ranges": [
{
"events": [
{
"introduced": "4.8.0"
},
{
"fixed": "4.8.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "@clerk/tanstack-react-start"
},
"ranges": [
{
"events": [
{
"introduced": "0.16.0"
},
{
"fixed": "0.18.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-53548"
],
"database_specific": {
"cwe_ids": [
"CWE-345"
],
"github_reviewed": true,
"github_reviewed_at": "2025-07-09T18:07:40Z",
"nvd_published_at": "2025-07-09T18:15:24Z",
"severity": "HIGH"
},
"details": "### Impact\n\nApplications that use the `verifyWebhook()` helper to verify incoming Clerk webhooks are susceptible to accepting improperly signed webhook events.\n\n### Patches\n\n* `@clerk/backend`: the helper has been patched as of `2.4.0`\n* `@clerk/astro`: the helper has been patched as of `2.10.2`\n* `@clerk/express`: the helper has been patched as of `1.7.4`\n* `@clerk/fastify`: the helper has been patched as of `2.4.4`\n* `@clerk/nextjs`: the helper has been patched as of `6.23.3`\n* `@clerk/nuxt`: the helper has been patched as of `1.7.5`\n* `@clerk/react-router`: the helper has been patched as of `1.6.4`\n* `@clerk/remix`: the helper has been patched as of `4.8.5`\n* `@clerk/tanstack-react-start`: the helper has been patched as of `0.18.3`\n\n### Resolution\n\nThe issue was resolved in **`@clerk/backend` `2.4.0`** by:\n\n* Properly parsing the webhook request\u0027s signatures and comparing them against the signature generated from the received event\n\n### Workarounds\n\nIf unable to upgrade, developers can workaround this issue by verifying webhooks manually, per [this documentation](https://clerk.com/docs/webhooks/overview#protect-your-webhooks-from-abuse).",
"id": "GHSA-9mp4-77wg-rwx9",
"modified": "2025-07-09T20:15:13Z",
"published": "2025-07-09T18:07:40Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/clerk/javascript/security/advisories/GHSA-9mp4-77wg-rwx9"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53548"
},
{
"type": "PACKAGE",
"url": "https://github.com/clerk/javascript"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "@clerk/backend Performs Insufficient Verification of Data Authenticity"
}
Loading…
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…