CVE-2025-53548
@clerk/backend Performs Insufficient Verification of Data Authenticity
Description
### Impact Applications that use the `verifyWebhook()` helper to verify incoming Clerk webhooks are susceptible to accepting improperly signed webhook events. ### Patches * `@clerk/backend`: the helper has been patched as of `2.4.0` * `@clerk/astro`: the helper has been patched as of `2.10.2` * `@clerk/express`: the helper has been patched as of `1.7.4` * `@clerk/fastify`: the helper has been patched as of `2.4.4` * `@clerk/nextjs`: the helper has been patched as of `6.23.3` * `@clerk/nuxt`: the helper has been patched as of `1.7.5` * `@clerk/react-router`: the helper has been patched as of `1.6.4` * `@clerk/remix`: the helper has been patched as of `4.8.5` * `@clerk/tanstack-react-start`: the helper has been patched as of `0.18.3` ### Resolution The issue was resolved in **`@clerk/backend` `2.4.0`** by: * Properly parsing the webhook request's signatures and comparing them against the signature generated from the received event ### Workarounds If unable to upgrade, developers can workaround this issue by verifying webhooks manually, per [this documentation](https://clerk.com/docs/webhooks/overview#protect-your-webhooks-from-abuse).
How to fix CVE-2025-53548
To remediate CVE-2025-53548, upgrade the affected package to a fixed version below.
- —upgrade to 2.10.2 or later
- —upgrade to 2.4.0 or later
- —upgrade to 1.7.4 or later
- —upgrade to 2.4.4 or later
- —upgrade to 6.23.3 or later
- —upgrade to 1.7.5 or later
- —upgrade to 1.6.4 or later
- —upgrade to 4.8.5 or later