High severity7.5OSV Advisory· Published Jul 9, 2025· Updated Apr 15, 2026

CVE-2025-53548

Description

Clerk helps developers build user management. Applications that use the verifyWebhook() helper to verify incoming Clerk webhooks are susceptible to accepting improperly signed webhook events. The issue was resolved in @clerk/backend 2.4.0.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
@clerk/backendnpm	>= 2.0.0, < 2.4.0	2.4.0
@clerk/astronpm	>= 2.9.0, < 2.10.2	2.10.2
@clerk/expressnpm	>= 1.6.0, < 1.7.4	1.7.4
@clerk/fastifynpm	>= 2.3.0, < 2.4.4	2.4.4
@clerk/nextjsnpm	>= 6.2.10, < 6.23.3	6.23.3
@clerk/nuxtnpm	>= 1.7.0, < 1.7.5	1.7.5
@clerk/react-routernpm	>= 1.5.0, < 1.6.4	1.6.4
@clerk/remixnpm	>= 4.8.0, < 4.8.5	4.8.5
@clerk/tanstack-react-startnpm	>= 0.16.0, < 0.18.3	0.18.3

Affected products

Clerk/JavaScriptOSV
Range: @clerk/backend-core@0.1.0, @clerk/backend-core@0.1.0-alpha.1, @clerk/backend-core@0.1.0-alpha.2, …

Patches

ca9e5f16f520

https://github.com/clerk/javascriptvia osv

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-9mp4-77wg-rwx9ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-53548ghsaADVISORY
github.com/clerk/javascript/security/advisories/GHSA-9mp4-77wg-rwx9nvdWEB

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000