

























A vulnerability affecting @clerk/backend >= 2.0.0 < 2.4.0 was recently reported to the Clerk team and resolved. The vulnerability was discovered in the verifyWebhook() helper, which is used to verify incoming Clerk webhooks, and it allowed improperly signed webhook events to be accepted as legitimate. Potentially impacted customers have already been notified via email. If your application does not use verifyWebhook() you are not impacted.
Applications that use the verifyWebhook() helper to verify incoming Clerk webhooks are susceptible to accepting improperly signed webhook events.
@clerk/backend: the helper has been patched as of 2.4.0@clerk/astro: the helper has been patched as of 2.10.2@clerk/express: the helper has been patched as of 1.7.4@clerk/fastify: the helper has been patched as of 2.4.4@clerk/nextjs: the helper has been patched as of 6.23.3@clerk/nuxt: the helper has been patched as of 1.7.5@clerk/react-router: the helper has been patched as of 1.6.4@clerk/remix: the helper has been patched as of 4.8.5@clerk/tanstack-react-start: the helper has been patched as of 0.18.3The issue was resolved in @clerk/backend 2.4.0 by:
If unable to upgrade, developers can workaround this issue by verifying webhooks manually, per this documentation.
Thanks to a Clerk customer for responsibly disclosing the issue to the team.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。