CVE-2025-63700: 
JavaScript vulnerability analysis and mitigation

A vulnerability was discovered in Clerk-js 5.88.0 (CVE-2025-63700) that allows attackers to bypass the OAuth authentication flow by manipulating the request at the OTP verification stage. The vulnerability was disclosed on November 20, 2025, and affects the Clerk-js JavaScript library version 5.88.0 and earlier (NVD, GitHub Advisory).

The vulnerability is classified as CWE-290 (Authentication Bypass by Spoofing) with a CVSS v3.1 base score of 7.5 (HIGH). The attack vector is network-based (AV:N) with low attack complexity (AC:L), requiring no privileges (PR:N) or user interaction (UI:N). The scope is unchanged (S:U) with high confidentiality impact (C:H) but no impact on integrity (I:N) or availability (A:N). The vulnerability exists in the verification step of the authentication flow, where the request can be altered between different authentication strategies, leading to improper validation of the OAuth login sequence (Miggo).

When successfully exploited, an attacker can bypass the OAuth verification process and gain unauthorized access to target accounts. The vulnerability primarily affects the confidentiality aspect of the system by allowing unauthorized account access under specific conditions (GitHub Advisory).