CVE-2025-53548: 
JavaScript vulnerability analysis and mitigation

Clerk helps developers build user management. A vulnerability was discovered in applications using the verifyWebhook() helper to verify incoming Clerk webhooks, making them susceptible to accepting improperly signed webhook events. The vulnerability was identified with CVE-2025-53548 and assigned a CVSS score of 7.5 (High). The issue affects multiple Clerk packages including @clerk/backend (versions >= 2.0.0 < 2.4.0), @clerk/astro, @clerk/express, @clerk/fastify, @clerk/nextjs, @clerk/nuxt, @clerk/react-router, @clerk/remix, and @clerk/tanstack-react-start. The vulnerability was disclosed on July 9, 2025 (GitHub Advisory).

The vulnerability is classified as CWE-345 (Insufficient Verification of Data Authenticity), where the application fails to properly verify the authenticity of webhook data. The issue has a CVSS v3.1 base score of 7.5 (High) with the following vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N. This indicates that the vulnerability can be exploited over the network, requires low attack complexity, needs no privileges or user interaction, has unchanged scope, no impact on confidentiality, high impact on integrity, and no impact on availability (GitHub Advisory).

The vulnerability allows attackers to bypass webhook signature verification, potentially leading to the acceptance of unauthorized or maliciously crafted webhook events. This could result in unauthorized data modifications or system compromise through the webhook processing pipeline (GitHub Advisory).

The issue was resolved in @clerk/backend version 2.4.0 by implementing proper parsing of webhook request signatures and comparing them against the signature generated from the received event. For users unable to upgrade, a workaround is available by implementing manual webhook verification following the official documentation. Other affected packages have also received patches: @clerk/astro (2.10.2), @clerk/express (1.7.4), @clerk/fastify (2.4.4), @clerk/nextjs (6.23.3), @clerk/nuxt (1.7.5), @clerk/react-router (1.6.4), @clerk/remix (4.8.5), and @clerk/tanstack-react-start (0.18.3) (GitHub Advisory).