{"id":"CVE-2025-53548","summary":"@clerk/backend Performs Insufficient Verification of Data Authenticity","details":"Clerk helps developers build user management. Applications that use the verifyWebhook() helper to verify incoming Clerk webhooks are susceptible to accepting improperly signed webhook events. The issue was resolved in @clerk/backend 2.4.0.","aliases":["GHSA-9mp4-77wg-rwx9"],"modified":"2026-04-10T05:30:51.547555Z","published":"2025-07-09T17:12:10.483Z","database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-345"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/53xxx/CVE-2025-53548.json"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/53xxx/CVE-2025-53548.json"},{"type":"ADVISORY","url":"https://github.com/clerk/javascript/security/advisories/GHSA-9mp4-77wg-rwx9"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-53548"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/clerk/javascript","events":[{"introduced":"0"},{"fixed":"ca9e5f16f520ba2cb2499c6e544f1f91573413ed"}],"database_specific":{"versions":[{"introduced":"0"},{"fixed":"2.4.0"}]}}],"versions":["@clerk/backend-core@0.1.0","@clerk/backend-core@0.1.0-alpha.1","@clerk/backend-core@0.1.0-alpha.2","@clerk/backend-core@0.1.0-alpha.3","@clerk/backend-core@0.1.1","@clerk/backend-core@0.1.2","@clerk/backend-core@0.2.0","@clerk/backend-core@0.2.1","@clerk/backend-core@0.2.2","@clerk/backend-core@0.3.0","@clerk/backend-core@0.4.0","@clerk/backend-core@0.4.1","@clerk/backend-core@0.4.1-staging.0","@clerk/backend-core@0.4.2","@clerk/backend-core@0.4.3","@clerk/backend-core@0.4.4","@clerk/backend-core@0.4.4-staging.0","@clerk/backend-core@0.5.0","@clerk/backend-core@0.5.1","@clerk/backend-core@0.5.2","@clerk/backend-core@0.5.2-staging.0","@clerk/backend-core@0.6.0","@clerk/backend-core@0.6.1","@clerk/backend-core@0.6.4-staging.0","@clerk/backend-core@0.7.0-alpha.0","@clerk/backend-core@0.7.0-alpha.1","@clerk/backend-core@0.8.0-alpha.1","@clerk/backend-core@1.0.1-alpha.0","@clerk/backend-core@1.0.1-staging.0","@clerk/backend-core@1.0.2-staging.0","@clerk/backend-core@1.1.0","@clerk/backend-core@1.1.0-alpha.0","@clerk/backend-core@1.1.0-staging.0","@clerk/backend-core@1.1.1","@clerk/backend-core@1.1.1-staging.0","@clerk/backend-core@1.1.2","@clerk/backend-core@1.1.2-staging.0","@clerk/backend-core@1.2.0","@clerk/backend-core@1.2.0-staging.0","@clerk/clerk-expo@0.8.1","@clerk/clerk-expo@0.8.1-staging.0","@clerk/clerk-expo@0.8.10","@clerk/clerk-expo@0.8.11","@clerk/clerk-expo@0.8.12-staging.0","@clerk/clerk-expo@0.8.13","@clerk/clerk-expo@0.8.13-staging.0","@clerk/clerk-expo@0.8.14","@clerk/clerk-expo@0.8.15-staging.0","@clerk/clerk-expo@0.8.16","@clerk/clerk-expo@0.8.16-staging.0","@clerk/clerk-expo@0.8.16-staging.1","@clerk/clerk-expo@0.8.18-alpha.2","@clerk/clerk-expo@0.8.18-alpha.3","@clerk/clerk-expo@0.8.18-staging.0","@clerk/clerk-expo@0.8.2","@clerk/clerk-expo@0.8.3-staging.0","@clerk/clerk-expo@0.8.3-staging.1","@clerk/clerk-expo@0.8.4-staging.0","@clerk/clerk-expo@0.8.5-staging.0","@clerk/clerk-expo@0.8.6","@clerk/clerk-expo@0.8.6-staging.0","@clerk/clerk-expo@0.8.7","@clerk/clerk-expo@0.8.8","@clerk/clerk-expo@0.8.9","@clerk/clerk-expo@0.9.0-alpha.1","@clerk/clerk-expo@0.9.1-alpha.0","@clerk/clerk-expo@0.9.1-staging.0","@clerk/clerk-expo@0.9.2","@clerk/clerk-expo@0.9.2-alpha.0","@clerk/clerk-expo@0.9.2-staging.0","@clerk/clerk-expo@0.9.2-staging.1","@clerk/clerk-expo@0.9.3","@clerk/clerk-expo@0.9.3-staging.0","@clerk/clerk-expo@0.9.4","@clerk/clerk-expo@0.9.4-staging.0","@clerk/clerk-expo@0.9.5","@clerk/clerk-expo@0.9.6","@clerk/clerk-expo@0.9.6-staging.0","@clerk/clerk-js@2.13.1","@clerk/clerk-js@2.13.1-staging.0","@clerk/clerk-js@2.13.2","@clerk/clerk-js@2.13.3-staging.0","@clerk/clerk-js@2.14.0-staging.0","@clerk/clerk-js@2.14.1-staging.0","@clerk/clerk-js@2.14.2-staging.0","@clerk/clerk-js@2.14.3","@clerk/clerk-js@2.14.3-staging.0","@clerk/clerk-js@2.15.0","@clerk/clerk-js@2.16.0","@clerk/clerk-js@2.16.1","@clerk/clerk-js@2.17.0","@clerk/clerk-js@2.17.1","@clerk/clerk-js@2.17.2-staging.0","@clerk/clerk-js@2.17.3","@clerk/clerk-js@2.17.3-staging.0","@clerk/clerk-js@2.17.4","@clerk/clerk-js@2.17.5-staging.0","@clerk/clerk-js@2.17.6","@clerk/clerk-js@2.17.6-staging.0","@clerk/clerk-js@2.17.6-staging.1","@clerk/clerk-js@3.0.1-alpha.2","@clerk/clerk-js@3.0.1-alpha.3","@clerk/clerk-js@3.0.1-staging.0","@clerk/clerk-js@3.1.0-alpha.0","@clerk/clerk-js@3.1.1-alpha.0","@clerk/clerk-js@3.1.1-staging.0","@clerk/clerk-js@3.1.2-staging.0","@clerk/clerk-js@3.2.0","@clerk/clerk-js@3.2.0-alpha.0","@clerk/clerk-js@3.2.0-staging.0","@clerk/clerk-js@3.2.1","@clerk/clerk-js@3.2.1-staging.0","@clerk/clerk-js@3.2.2","@clerk/clerk-js@3.2.2-staging.0","@clerk/clerk-js@3.3.0","@clerk/clerk-js@3.4.0","@clerk/clerk-js@3.4.0-staging.0","@clerk/clerk-react@2.11.1","@clerk/clerk-react@2.11.1-staging.0","@clerk/clerk-react@2.11.2-staging.0","@clerk/clerk-react@2.11.3-staging.0","@clerk/clerk-react@2.11.4","@clerk/clerk-react@2.11.4-staging.0","@clerk/clerk-react@2.11.5","@clerk/clerk-react@2.11.6","@clerk/clerk-react@2.11.7","@clerk/clerk-react@2.12.0","@clerk/clerk-react@2.12.1","@clerk/clerk-react@2.12.2-staging.0","@clerk/clerk-react@2.12.3","@clerk/clerk-react@2.12.3-staging.0","@clerk/clerk-react@2.12.4","@clerk/clerk-react@2.12.5-staging.0","@clerk/clerk-react@2.12.6","@clerk/clerk-react@2.12.6-staging.0","@clerk/clerk-react@2.12.6-staging.1","@clerk/clerk-react@3.0.1-alpha.2","@clerk/clerk-react@3.0.1-alpha.3","@clerk/clerk-react@3.0.1-staging.0","@clerk/clerk-react@3.1.0-alpha.1","@clerk/clerk-react@3.1.1-alpha.0","@clerk/clerk-react@3.1.1-staging.0","@clerk/clerk-react@3.1.2-staging.0","@clerk/clerk-react@3.2.0","@clerk/clerk-react@3.2.0-alpha.0","@clerk/clerk-react@3.2.0-staging.0","@clerk/clerk-react@3.2.1","@clerk/clerk-react@3.2.1-staging.0","@clerk/clerk-react@3.2.2","@clerk/clerk-react@3.2.2-staging.0","@clerk/clerk-sdk-node@2.7.0","@clerk/clerk-sdk-node@2.7.0-alpha.1","@clerk/clerk-sdk-node@2.7.0-alpha.2","@clerk/clerk-sdk-node@2.7.0-alpha.3","@clerk/clerk-sdk-node@2.7.1","@clerk/clerk-sdk-node@2.7.2","@clerk/clerk-sdk-node@2.7.3","@clerk/clerk-sdk-node@2.7.4","@clerk/clerk-sdk-node@2.7.5","@clerk/clerk-sdk-node@2.8.0","@clerk/clerk-sdk-node@2.8.1","@clerk/clerk-sdk-node@2.9.0","@clerk/clerk-sdk-node@2.9.1","@clerk/clerk-sdk-node@2.9.1-staging.0","@clerk/clerk-sdk-node@2.9.10","@clerk/clerk-sdk-node@2.9.2","@clerk/clerk-sdk-node@2.9.3","@clerk/clerk-sdk-node@2.9.4","@clerk/clerk-sdk-node@2.9.4-staging.0","@clerk/clerk-sdk-node@2.9.5","@clerk/clerk-sdk-node@2.9.6","@clerk/clerk-sdk-node@2.9.7","@clerk/clerk-sdk-node@2.9.7-staging.0","@clerk/clerk-sdk-node@2.9.8","@clerk/clerk-sdk-node@2.9.9","@clerk/clerk-sdk-node@3.0.1-staging.0","@clerk/clerk-sdk-node@3.1.0-alpha.0","@clerk/clerk-sdk-node@3.1.0-alpha.1","@clerk/clerk-sdk-node@3.2.0-alpha.1","@clerk/clerk-sdk-node@3.2.1-alpha.0","@clerk/clerk-sdk-node@3.2.1-staging.0","@clerk/clerk-sdk-node@3.2.2","@clerk/clerk-sdk-node@3.2.2-alpha.0","@clerk/clerk-sdk-node@3.2.2-staging.0","@clerk/clerk-sdk-node@3.2.2-staging.1","@clerk/clerk-sdk-node@3.2.3","@clerk/clerk-sdk-node@3.2.3-staging.0","@clerk/clerk-sdk-node@3.2.4","@clerk/clerk-sdk-node@3.2.4-staging.0","@clerk/clerk-sdk-node@3.3.0","@clerk/clerk-sdk-node@3.3.0-staging.0","@clerk/edge@0.1.0","@clerk/edge@0.1.0-alpha.1","@clerk/edge@0.1.0-alpha.2","@clerk/edge@0.1.0-alpha.3","@clerk/edge@0.1.1","@clerk/edge@0.1.2","@clerk/edge@0.1.3","@clerk/edge@0.1.4","@clerk/edge@0.2.0","@clerk/edge@0.2.1","@clerk/edge@0.3.0","@clerk/edge@0.3.1","@clerk/edge@0.3.1-staging.0","@clerk/edge@0.3.2","@clerk/edge@0.3.3","@clerk/edge@0.3.4","@clerk/edge@0.3.4-staging.0","@clerk/edge@0.3.5","@clerk/edge@0.3.6","@clerk/edge@0.3.7","@clerk/edge@0.3.7-staging.0","@clerk/edge@0.3.8","@clerk/edge@0.3.9","@clerk/edge@0.4.0","@clerk/edge@1.0.1-staging.0","@clerk/edge@1.1.0-alpha.0","@clerk/edge@1.1.0-alpha.1","@clerk/edge@1.2.0-alpha.1","@clerk/edge@1.2.1-alpha.0","@clerk/edge@1.2.1-staging.0","@clerk/edge@1.2.2","@clerk/edge@1.2.2-alpha.0","@clerk/edge@1.2.2-staging.0","@clerk/edge@1.2.2-staging.1","@clerk/edge@1.2.3","@clerk/edge@1.2.3-staging.0","@clerk/edge@1.2.4","@clerk/edge@1.2.4-staging.0","@clerk/edge@1.2.5","@clerk/edge@1.2.5-staging.0","@clerk/nextjs@2.11.1","@clerk/nextjs@2.11.1-staging.0","@clerk/nextjs@2.11.10","@clerk/nextjs@2.11.11-staging.0","@clerk/nextjs@2.11.12","@clerk/nextjs@2.11.12-staging.0","@clerk/nextjs@2.11.13","@clerk/nextjs@2.11.14","@clerk/nextjs@2.11.15","@clerk/nextjs@2.11.16-staging.0","@clerk/nextjs@2.11.17","@clerk/nextjs@2.11.17-staging.0","@clerk/nextjs@2.11.17-staging.1","@clerk/nextjs@2.11.2-staging.0","@clerk/nextjs@2.11.2-staging.1","@clerk/nextjs@2.11.2-staging.2","@clerk/nextjs@2.11.3-staging.0","@clerk/nextjs@2.11.4","@clerk/nextjs@2.11.4-staging.0","@clerk/nextjs@2.11.5","@clerk/nextjs@2.11.6","@clerk/nextjs@2.11.7","@clerk/nextjs@2.11.8","@clerk/nextjs@2.11.9","@clerk/nextjs@3.0.1-staging.0","@clerk/nextjs@3.1.0-alpha.0","@clerk/nextjs@3.1.0-alpha.1","@clerk/nextjs@3.2.0-alpha.1","@clerk/nextjs@3.2.1-alpha.0","@clerk/nextjs@3.2.1-staging.0","@clerk/nextjs@3.2.2","@clerk/nextjs@3.2.2-alpha.0","@clerk/nextjs@3.2.2-staging.0","@clerk/nextjs@3.2.2-staging.1","@clerk/nextjs@3.2.3","@clerk/nextjs@3.2.3-staging.0","@clerk/nextjs@3.2.4","@clerk/nextjs@3.2.4-staging.0","@clerk/nextjs@3.3.0","@clerk/nextjs@3.3.0-staging.0","@clerk/remix@0.1.1-staging.0","@clerk/remix@0.2.0-alpha.0","@clerk/remix@0.2.0-alpha.1","@clerk/remix@0.3.0-alpha.1","@clerk/remix@0.3.1-alpha.0","@clerk/remix@0.3.1-staging.0","@clerk/remix@0.3.2","@clerk/remix@0.3.2-alpha.0","@clerk/remix@0.3.2-staging.0","@clerk/remix@0.3.2-staging.1","@clerk/remix@0.3.3","@clerk/remix@0.3.3-staging.0","@clerk/remix@0.3.4","@clerk/remix@0.3.4-staging.0","@clerk/remix@0.3.5","@clerk/remix@0.3.5-staging.0","@clerk/shared@0.0.10","@clerk/shared@0.0.11-staging.0","@clerk/shared@0.0.12","@clerk/shared@0.0.12-staging.0","@clerk/shared@0.0.13","@clerk/shared@0.0.14-staging.0","@clerk/shared@0.0.15","@clerk/shared@0.0.15-staging.0","@clerk/shared@0.0.15-staging.1","@clerk/shared@0.0.16-alpha.2","@clerk/shared@0.0.16-alpha.3","@clerk/shared@0.0.16-alpha.4","@clerk/shared@0.0.16-staging.0","@clerk/shared@0.0.17-alpha.0","@clerk/shared@0.0.17-staging.0","@clerk/shared@0.0.18","@clerk/shared@0.0.18-alpha.0","@clerk/shared@0.0.18-staging.0","@clerk/shared@0.0.18-staging.1","@clerk/shared@0.0.19","@clerk/shared@0.0.19-staging.0","@clerk/shared@0.0.2","@clerk/shared@0.0.2-staging.0","@clerk/shared@0.0.20","@clerk/shared@0.0.20-staging.0","@clerk/shared@0.0.21","@clerk/shared@0.0.21-staging.0","@clerk/shared@0.0.3-staging.0","@clerk/shared@0.0.4-staging.0","@clerk/shared@0.0.5","@clerk/shared@0.0.5-staging.0","@clerk/shared@0.0.6","@clerk/shared@0.0.7","@clerk/shared@0.0.8","@clerk/shared@0.0.9","@clerk/types@1.25.1","@clerk/types@1.25.1-staging.0","@clerk/types@1.25.2-staging.0","@clerk/types@1.25.3-staging.0","@clerk/types@1.25.4","@clerk/types@1.25.4-staging.0","@clerk/types@1.26.0","@clerk/types@1.27.0","@clerk/types@1.27.1","@clerk/types@1.28.0","@clerk/types@1.28.1","@clerk/types@1.28.2-staging.0","@clerk/types@1.28.3","@clerk/types@1.28.3-staging.0","@clerk/types@1.29.0","@clerk/types@1.29.1-staging.0","@clerk/types@1.29.2","@clerk/types@1.29.2-staging.0","@clerk/types@1.29.2-staging.1","@clerk/types@2.0.1-alpha.2","@clerk/types@2.0.1-alpha.3","@clerk/types@2.0.1-staging.0","@clerk/types@2.1.0-alpha.0","@clerk/types@2.1.1-alpha.0","@clerk/types@2.1.1-staging.0","@clerk/types@2.1.2-staging.0","@clerk/types@2.2.0","@clerk/types@2.2.0-alpha.0","@clerk/types@2.2.0-staging.0","@clerk/types@2.2.1","@clerk/types@2.2.1-staging.0","@clerk/types@2.3.0","@clerk/types@2.3.0-staging.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-53548.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"}]}