CVE-2025-53548
HIGH7.5EPSS 0.13%@clerk/backend Performs Insufficient Verification of Data Authenticity
Description
### Impact Applications that use the `verifyWebhook()` helper to verify incoming Clerk webhooks are susceptible to accepting improperly signed webhook events. ### Patches * `@clerk/backend`: the helper has been patched as of `2.4.0` * `@clerk/astro`: the helper has been patched as of `2.10.2` * `@clerk/express`: the helper has been patched as of `1.7.4` * `@clerk/fastify`: the helper has been patched as of `2.4.4` * `@clerk/nextjs`: the helper has been patched as of `6.23.3` * `@clerk/nuxt`: the helper has been patched as of `1.7.5` * `@clerk/react-router`: the helper has been patched as of `1.6.4` * `@clerk/remix`: the helper has been patched as of `4.8.5` * `@clerk/tanstack-react-start`: the helper has been patched as of `0.18.3` ### Resolution The issue was resolved in **`@clerk/backend` `2.4.0`** by: * Properly parsing the webhook request's signatures and comparing them against the signature generated from the received event ### Workarounds If unable to upgrade, developers can workaround this issue by verifying webhooks manually, per [this documentation](https://clerk.com/docs/webhooks/overview#protect-your-webhooks-from-abuse).
Affected packages (9)
- npm/@clerk/astro>= 2.9.0, < 2.10.2
- npm/@clerk/backend>= 2.0.0, < 2.4.0
- npm/@clerk/express>= 1.6.0, < 1.7.4
- npm/@clerk/fastify>= 2.3.0, < 2.4.4
- npm/@clerk/nextjs>= 6.2.10, < 6.23.3
- npm/@clerk/nuxt>= 1.7.0, < 1.7.5
- npm/@clerk/react-router>= 1.5.0, < 1.6.4
- npm/@clerk/remix>= 4.8.0, < 4.8.5
- npm/@clerk/tanstack-react-start>= 0.16.0, < 0.18.3
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N |