CVE-2025-53548

Summary

A vulnerability affecting @clerk/backend >= 2.0.0 < 2.4.0 was recently reported to the Clerk team and resolved. The vulnerability was discovered in the verifyWebhook() helper, which is used to verify incoming Clerk webhooks, and it allowed improperly signed webhook events to be accepted as legitimate. Potentially impacted customers have already been notified via email. If your application does not use verifyWebhook() you are not impacted.

Impact

Applications that use the verifyWebhook() helper to verify incoming Clerk webhooks are susceptible to accepting improperly signed webhook events.

Patches

• @clerk/backend: the helper has been patched as of 2.4.0
• @clerk/astro: the helper has been patched as of 2.10.2
• @clerk/express: the helper has been patched as of 1.7.4
• @clerk/fastify: the helper has been patched as of 2.4.4
• @clerk/nextjs: the helper has been patched as of 6.23.3
• @clerk/nuxt: the helper has been patched as of 1.7.5
• @clerk/react-router: the helper has been patched as of 1.6.4
• @clerk/remix: the helper has been patched as of 4.8.5
• @clerk/tanstack-react-start: the helper has been patched as of 0.18.3

Resolution

The issue was resolved in @clerk/backend 2.4.0 by:

• Properly parsing the webhook request's signatures and comparing them against the signature generated from the received event

Workarounds

If unable to upgrade, developers can workaround this issue by verifying webhooks manually, per this documentation⁠.

Credits

Thanks to a Clerk customer for responsibly disclosing the issue to the team.

References

• Fix in @clerk/backend 2.4.0⁠
• GHSA-9mp4-77wg-rwx9⁠