# CVE-2025-53548

## Summary

A vulnerability affecting **`@clerk/backend` >= 2.0.0 < 2.4.0** was recently reported to the Clerk team and resolved. The vulnerability was discovered in the `verifyWebhook()` helper, which is used to verify incoming Clerk webhooks, and it allowed improperly signed webhook events to be accepted as legitimate. **Potentially impacted customers have already been notified via email. If your application does not use `verifyWebhook()` you are not impacted.**

## Impact

Applications that use the `verifyWebhook()` helper to verify incoming Clerk webhooks are susceptible to accepting improperly signed webhook events.

## Patches

- `@clerk/backend`: the helper has been patched as of `2.4.0`
- `@clerk/astro`: the helper has been patched as of `2.10.2`
- `@clerk/express`: the helper has been patched as of `1.7.4`
- `@clerk/fastify`: the helper has been patched as of `2.4.4`
- `@clerk/nextjs`: the helper has been patched as of `6.23.3`
- `@clerk/nuxt`: the helper has been patched as of `1.7.5`
- `@clerk/react-router`: the helper has been patched as of `1.6.4`
- `@clerk/remix`: the helper has been patched as of `4.8.5`
- `@clerk/tanstack-react-start`: the helper has been patched as of `0.18.3`

## Resolution

The issue was resolved in **`@clerk/backend` `2.4.0`** by:

- Properly parsing the webhook request's signatures and comparing them against the signature generated from the received event

## Workarounds

If unable to upgrade, developers can workaround this issue by verifying webhooks manually, per [this documentation](https://clerk.com/docs/webhooks/overview.md#protect-your-webhooks-from-abuse).

## Credits

Thanks to a **Clerk customer** for responsibly disclosing the issue to the team.

## References

- [Fix in `@clerk/backend` `2.4.0`](https://github.com/clerk/javascript/releases/tag/%40clerk%2Fbackend%402.4.0)
- [GHSA-9mp4-77wg-rwx9](https://github.com/clerk/javascript/security/advisories/GHSA-9mp4-77wg-rwx9)