-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| @clerk/backend | npm | >= 2.0.0, < 2.4.0 | 2.4.0 |
| @clerk/astro | npm | >= 2.9.0, < 2.10.2 | 2.10.2 |
| @clerk/express | npm | >= 1.6.0, < 1.7.4 | 1.7.4 |
| @clerk/fastify | npm | >= 2.3.0, < 2.4.4 | 2.4.4 |
| @clerk/nextjs | npm | >= 6.2.10, < 6.23.3 | 6.23.3 |
| @clerk/nuxt | npm | >= 1.7.0, < 1.7.5 | 1.7.5 |
| @clerk/react-router | npm | >= 1.5.0, < 1.6.4 | 1.6.4 |
| @clerk/remix | npm | >= 4.8.0, < 4.8.5 | 4.8.5 |
| @clerk/tanstack-react-start | npm | >= 0.16.0, < 0.18.3 | 0.18.3 |
JavaScriptJavaScriptMiggo AIRoot Cause AnalysisThe vulnerability lies in the verifyWebhook function within the @clerk/backend package. The function was responsible for verifying the authenticity of incoming webhooks from Clerk. The original implementation contained a critical logic flaw in its signature verification process. Instead of rejecting requests with invalid signatures, it did the opposite: it rejected requests with valid signatures and allowed those with invalid or no signatures to be processed. This would allow an attacker to bypass webhook authentication and send malicious or spoofed events to the application.\n\nThe patch addresses this by completely refactoring the verifyWebhook function. It removes the incorrect manual implementation and replaces it with the standardwebhooks library, which is the standard for webhook verification and is used by Svix (the underlying webhook provider for Clerk). This ensures that webhook signatures are verified correctly and that only authentic requests from Clerk are processed.
Ongoing coverage of React2Shell