Clerk JavaScript Middleware Bypass Vulnerability in Astro, Next.js, and Nuxt

A vulnerability exists in the Clerk JavaScript libraries for Astro, Next.js, and Nuxt, where the `createRouteMatcher` function can be bypassed by specially crafted requests. This allows requests to skip middleware protections and directly access downstream handlers, such as API routes or server components. While this vulnerability does not compromise user sessions or authentication, it can undermine route protection by allowing unauthorized access to protected resources.

Impact

Exploiting this vulnerability bypasses middleware-level route protections, allowing unauthorized requests to access downstream handlers without proper authentication. However, it does not affect authentication checks within the handlers themselves or in external APIs that verify tokens independently.

Remediation

Users should upgrade to the latest patched versions of the Clerk libraries. For `@clerk/nextjs`, the fixed versions are 5.7.6, 6.39.2, and 7.2.1. For `@clerk/nuxt`, users should upgrade to 1.13.28 or 2.2.2. For `@clerk/astro`, the patched versions are 1.5.7, 2.17.10, and 3.0.15. If an immediate upgrade is not possible, adding server-side authentication checks in route handlers can provide temporary protection against the bypass.