Clerk JavaScript Authorization Bypass Vulnerability in Combined Checks

A vulnerability exists in Clerk JavaScript authentication that allows authorization predicates to incorrectly return true for certain combined checks. This issue is present in multiple framework SDKs, including @clerk/shared, @clerk/nextjs, @clerk/backend, and others. The vulnerability arises when a has() or auth.protect() call combines reverification checks with roles, permissions, features, or plans, or when billing checks are mixed with role or permission checks. As a result, a user may be able to perform actions without meeting all the required conditions. However, this bypass does not compromise user sessions or authentication states.

Impact

Exploiting this vulnerability can lead to unauthorized actions being performed by users who do not meet the full set of required conditions, bypassing intended authorization checks.

Reproduction

To reproduce this vulnerability, use a has() or auth.protect() call that combines a reverification check with any role, permission, feature, or plan, or that mixes a billing check with a role or permission check. This will create a situation where the authorization predicate incorrectly allows a gated action to proceed.

Remediation

Upgrade to the latest patch release of the affected framework package. If @clerk/clerk-js is pinned directly, upgrade to the patched version. Most applications will receive the fix automatically from Clerk's CDN through their framework package.