GHSA-9mp4-77wg-rwx9: @clerk/backend Performs Insufficient Verification of Data Authenticity

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2025-53548

@clerk/backend Performs Insufficient Verification of Data Authenticity

High severity GitHub Reviewed Published Jul 9, 2025 in clerk/javascript • Updated Jul 9, 2025

Package

npm @clerk/astro (npm)

Affected versions

>= 2.9.0, < 2.10.2

npm @clerk/react-router (npm)

npm @clerk/tanstack-react-start (npm)

Impact

Applications that use the verifyWebhook() helper to verify incoming Clerk webhooks are susceptible to accepting improperly signed webhook events.

Patches

• @clerk/backend: the helper has been patched as of 2.4.0
• @clerk/astro: the helper has been patched as of 2.10.2
• @clerk/express: the helper has been patched as of 1.7.4
• @clerk/fastify: the helper has been patched as of 2.4.4
• @clerk/nextjs: the helper has been patched as of 6.23.3
• @clerk/nuxt: the helper has been patched as of 1.7.5
• @clerk/react-router: the helper has been patched as of 1.6.4
• @clerk/remix: the helper has been patched as of 4.8.5
• @clerk/tanstack-react-start: the helper has been patched as of 0.18.3

Resolution

The issue was resolved in @clerk/backend 2.4.0 by:

• Properly parsing the webhook request’s signatures and comparing them against the signature generated from the received event

Workarounds

If unable to upgrade, developers can workaround this issue by verifying webhooks manually, per this documentation.

References

• GHSA-9mp4-77wg-rwx9

Published to the GitHub Advisory Database

Jul 9, 2025