CVE-2025-53548

描述

### Impact Applications that use the `verifyWebhook()` helper to verify incoming Clerk webhooks are susceptible to accepting improperly signed webhook events. ### Patches * `@clerk/backend`: the helper has been patched as of `2.4.0` * `@clerk/astro`: the helper has been patched as of `2.10.2` * `@clerk/express`: the helper has been patched as of `1.7.4` * `@clerk/fastify`: the helper has been patched as of `2.4.4` * `@clerk/nextjs`: the helper has been patched as of `6.23.3` * `@clerk/nuxt`: the helper has been patched as of `1.7.5` * `@clerk/react-router`: the helper has been patched as of `1.6.4` * `@clerk/remix`: the helper has been patched as of `4.8.5` * `@clerk/tanstack-react-start`: the helper has been patched as of `0.18.3` ### Resolution The issue was resolved in **`@clerk/backend` `2.4.0`** by: * Properly parsing the webhook request's signatures and comparing them against the signature generated from the received event ### Workarounds If unable to upgrade, developers can workaround this issue by verifying webhooks manually, per [this documentation](https://clerk.com/docs/webhooks/overview#protect-your-webhooks-from-abuse).

受影響套件(9)

• npm/@clerk/astro>= 2.9.0, < 2.10.2
• npm/@clerk/backend>= 2.0.0, < 2.4.0
• npm/@clerk/express>= 1.6.0, < 1.7.4
• npm/@clerk/fastify>= 2.3.0, < 2.4.4
• npm/@clerk/nextjs>= 6.2.10, < 6.23.3
• npm/@clerk/nuxt>= 1.7.0, < 1.7.5
• npm/@clerk/react-router>= 1.5.0, < 1.6.4
• npm/@clerk/remix>= 4.8.0, < 4.8.5
• npm/@clerk/tanstack-react-start>= 0.16.0, < 0.18.3

CVSS 分數

參考連結(3)

• ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2025-53548
• PATCHhttps://github.com/clerk/javascript
• WEBhttps://github.com/clerk/javascript/security/advisories/GHSA-9mp4-77wg-rwx9