CVE-2025-53548
HIGHClerk Backend < 2.4.0 - Insufficient Verification of Data Authenticity in Webhook Verification
Title source: llmDescription
Clerk helps developers build user management. Applications that use the verifyWebhook() helper to verify incoming Clerk webhooks are susceptible to accepting improperly signed webhook events. The issue was resolved in @clerk/backend 2.4.0.
References (1)
Core 1
Core References
Vendor Advisory x_refsource_confirm
https://github.com/clerk/javascript/security/advisories/GHSA-9mp4-77wg-rwx9
Scores
CVSS v3
7.5
EPSS
0.0015
EPSS Percentile
4.7%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-345
Status
published
Products (10)
clerk/astro
2.9.0 - 2.10.2npm
clerk/backend
2.0.0 - 2.4.0npm
clerk/express
1.6.0 - 1.7.4npm
clerk/fastify
2.3.0 - 2.4.4npm
clerk/javascript
< 2.4.0
clerk/nextjs
6.2.10 - 6.23.3npm
clerk/nuxt
1.7.0 - 1.7.5npm
clerk/react-router
1.5.0 - 1.6.4npm
clerk/remix
4.8.0 - 4.8.5npm
clerk/tanstack-react-start
0.16.0 - 0.18.3npm
Published
Jul 09, 2025
Tracked Since
Feb 18, 2026