Javascript
Approved changes feed: RSS · Atom
cpe:2.3:a:clerk:javascript:*:*:*:*:*:*:*:*
part: a version: * update: *
| Vendor | Clerk (c94c09e1-5e83-53af-927d-05e120e6caaf) |
|---|---|
| Product | Javascript (b469430b-a9cd-5d27-a373-785d0317156f) |
| Edition | * |
| Language | * |
| Software edition | * |
| Target software | * |
| Target hardware | * |
| Other | * |
| Notes | Imported from purl2cpe mapping |
PURL mappings
| PURL | Source | Last updated |
|---|---|---|
pkg:github/clerk/javascript |
purl2cpe | 2026-06-01 10:13:18.083024 |
pkg:npm/%40clerk/clerk-sdk-node |
purl2cpe | 2026-06-01 10:13:18.083028 |
Vulnerability references
| Identifier | cpeApplicability | Submitted | db.gcve.eu details | Rationale |
|---|---|---|---|---|
CVE:CVE-2026-42349 |
vulnerable | 2026-06-03 15:25:00.988976 |
Clerk: Authorization bypass when combining organization, billing, or reverification checks
Clerk JavaScript is the official JavaScript repository for Clerk authentication. has(), auth.protect(), and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be false, allowing a gated action to proceed for a user who does not satisfy the full set of requested conditions. This call shape can be bypassed if certain conditions are met: a has() or auth.protect() call that combines a reverification check with any of role, permission, feature, or plan, or that combines a billing check (feature or plan) with a role or permission check. This vulnerability is fixed in @clerk/clerk-js 5.125.10 and 6.7.5.
Published: 2026-05-11T16:08:27.869Z
Updated: 2026-05-14T18:19:38.735Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2026-34076 |
vulnerable | 2026-06-03 15:22:08.975048 |
Clerk JavaScript: SSRF in the opt-in clerkFrontendApiProxy feature may leak secret keys to unintended host
HIGH (7.4)
Clerk JavaScript is the official JavaScript repository for Clerk authentication. In @clerk/hono from versions 0.1.0 to before 0.1.5, @clerk/express from versions 2.0.0 to before 2.0.7, @clerk/backend from versions 3.0.0 to before 3.2.3, and @clerk/fastify from versions 3.1.0 to before 3.1.5, the clerkFrontendApiProxy function in @clerk/backend is vulnerable to Server-Side Request Forgery (SSRF). An unauthenticated attacker can craft a request path that causes the proxy to send the application's Clerk-Secret-Key to an attacker-controlled server. This issue has been patched in @clerk/hono version 0.1.5, @clerk/express version 2.0.7, @clerk/backend version 3.2.3, and @clerk/fastify version 3.1.5.
Published: 2026-04-01T16:59:21.828Z
Updated: 2026-04-01T18:00:23.118Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2025-53548 |
vulnerable | 2026-06-03 15:03:54.273810 |
@clerk/backend Performs Insufficient Verification of Data Authenticity
HIGH (7.5)
Clerk helps developers build user management. Applications that use the verifyWebhook() helper to verify incoming Clerk webhooks are susceptible to accepting improperly signed webhook events. The issue was resolved in @clerk/backend 2.4.0.
Published: 2025-07-09T17:12:10.483Z
Updated: 2025-07-09T17:34:36.765Z |
Imported from gcve-enriched-dumps CVE data |
CVE:CVE-2024-22206 |
vulnerable | 2026-06-03 14:55:00.029150 |
@clerk/nextjs auth() and getAuth() methods vulnerable to insecure direct object reference (IDOR)
CRITICAL (9.1)
Clerk helps developers build user management. Unauthorized access or privilege escalation due to a logic flaw in auth() in the App Router or getAuth() in the Pages Router. This vulnerability was patched in version 4.29.3.
Published: 2024-01-12T20:07:40.402Z
Updated: 2024-11-14T15:42:39.402Z |
Imported from gcve-enriched-dumps CVE data |
Contribute
You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.