logo

Database

Insufficient data authenticity validation In @clerk/react-router

Description

@clerk/backend Performs Insufficient Verification of Data Authenticity

Impact

Applications that use the verifyWebhook() helper to verify incoming Clerk webhooks are susceptible to accepting improperly signed webhook events.

Patches

    @clerk/backend: the helper has been patched as of 2.4.0

    @clerk/astro: the helper has been patched as of 2.10.2

    @clerk/express: the helper has been patched as of 1.7.4

    @clerk/fastify: the helper has been patched as of 2.4.4

    @clerk/nextjs: the helper has been patched as of 6.23.3

    @clerk/nuxt: the helper has been patched as of 1.7.5

    @clerk/react-router: the helper has been patched as of 1.6.4

    @clerk/remix: the helper has been patched as of 4.8.5

    @clerk/tanstack-react-start: the helper has been patched as of 0.18.3

Resolution

The issue was resolved in @clerk/backend 2.4.0 by:

    Properly parsing the webhook request's signatures and comparing them against the signature generated from the received event

Workarounds

If unable to upgrade, developers can workaround this issue by verifying webhooks manually, per this documentation.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-535482. NVD-2025-535483. OSV-2025-535484. GHSA-9mp4-77wg-rwx95. GCVE-2025-53548

References

1. https://github.com/clerk/javascript/security/advisories/GHSA-9mp4-77wg-rwx9

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.