HIGH 7.5 npm
@clerk/backend Performs Insufficient Verification of Data Authenticity
GHSA-9mp4-77wg-rwx9 · CVE-2025-53548
Published · Modified
Description
Impact
Applications that use the verifyWebhook() helper to verify incoming Clerk webhooks are susceptible to accepting improperly signed webhook events.
Patches
@clerk/backend: the helper has been patched as of2.4.0@clerk/astro: the helper has been patched as of2.10.2@clerk/express: the helper has been patched as of1.7.4@clerk/fastify: the helper has been patched as of2.4.4@clerk/nextjs: the helper has been patched as of6.23.3@clerk/nuxt: the helper has been patched as of1.7.5@clerk/react-router: the helper has been patched as of1.6.4@clerk/remix: the helper has been patched as of4.8.5@clerk/tanstack-react-start: the helper has been patched as of0.18.3
Resolution
The issue was resolved in @clerk/backend 2.4.0 by:
- Properly parsing the webhook request's signatures and comparing them against the signature generated from the received event
Workarounds
If unable to upgrade, developers can workaround this issue by verifying webhooks manually, per this documentation.
Ready to move
Start Securing
Free, no credit card | First findings in minutes