Clerk JavaScript Server-Side Request Forgery Vulnerability in Multiple Packages

A Server-Side Request Forgery (SSRF) vulnerability has been identified in the Clerk JavaScript authentication library. This issue affects the '@clerk/hono' package (versions 0.1.0 prior to 0.1.5), '@clerk/express' (versions 2.0.0 prior to 2.0.7), '@clerk/backend' (versions 3.0.0 prior to 3.2.3), and '@clerk/fastify' (versions 3.1.0 prior to 3.1.5). The vulnerability arises in the 'clerkFrontendApiProxy' function within the '@clerk/backend' package, where an unauthenticated attacker can manipulate request paths to have the proxy send the application's 'Clerk-Secret-Key' to a server controlled by the attacker. This vulnerability is only present in applications that have opted into the 'frontendApiProxy' feature, which is not enabled by default.

Impact

Exploitation of this vulnerability could lead to the unauthorized disclosure of the Clerk Secret Key to an attacker-controlled server.

Remediation

Users should upgrade to '@clerk/hono' version 0.1.5, '@clerk/express' version 2.0.7, '@clerk/backend' version 3.2.3, and '@clerk/fastify' version 3.1.5. After upgrading, it is recommended to rotate the Clerk Secret Key via the Clerk Dashboard under API Keys, and to audit access logs for requests to the proxy endpoint that contain double slashes in the path.