CVE-2025-53548
BaseFortify
Publication date: 2025-07-09
Last updated on: 2025-07-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| clerk | react-router | 1.6.4 |
| clerk | backend | 2.4.0 |
| clerk | nuxt | 1.7.5 |
| clerk | remix | 4.8.5 |
| clerk | express | 1.7.4 |
| clerk | tanstack-react-start | 0.18.3 |
| clerk | nextjs | 6.23.3 |
| clerk | astro | 2.10.2 |
| clerk | fastify | 2.4.4 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-345 | The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs in Clerk's verifyWebhook() helper, which is used to verify incoming webhook events. Due to the issue, applications using this helper may accept webhook events that are improperly signed, meaning the authenticity of the webhook cannot be reliably confirmed. This could allow attackers to send forged webhook events to the application.
How can this vulnerability impact me? :
The vulnerability can impact you by allowing attackers to send malicious or forged webhook events to your application, potentially causing it to perform unauthorized actions or behave incorrectly. Since the integrity of webhook events cannot be guaranteed, this could lead to compromised application logic or security.
What immediate steps should I take to mitigate this vulnerability?
Update the @clerk/backend package to version 2.4.0 or later, as this version resolves the issue with improperly signed webhook events.