Clerk Webhook Verification Vulnerability in Multiple Packages
Vulnerability
A vulnerability exists in Clerk's user management libraries that allows applications to accept improperly signed webhook events. This issue affects several Clerk packages, including '@clerk/backend', '@clerk/astro', '@clerk/express', '@clerk/fastify', '@clerk/nextjs', '@clerk/nuxt', '@clerk/react-router', '@clerk/remix', and '@clerk/tanstack-react-start'. The vulnerability arises when the 'verifyWebhook()' helper is used to validate incoming Clerk webhooks, leading to the acceptance of malformed webhook signatures.
Impact
The vulnerability allows for the acceptance of improperly signed webhook events, which could lead to unauthorized actions being performed based on these webhooks.
Remediation
The vulnerability has been patched in all affected Clerk packages. Users should upgrade to the latest version of the specific package they are using. If an upgrade is not possible, webhooks can be verified manually according to the Clerk documentation on webhook protection.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.