惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

Application and Cybersecurity Blog
Application and Cybersecurity Blog
A
About on SuperTechFans
S
SegmentFault 最新的问题
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
Help Net Security
Help Net Security
有赞技术团队
有赞技术团队
博客园 - 【当耐特】
O
OpenAI News
美团技术团队
月光博客
月光博客
Apple Machine Learning Research
Apple Machine Learning Research
Schneier on Security
Schneier on Security
Webroot Blog
Webroot Blog
Cyberwarzone
Cyberwarzone
Hacker News - Newest:
Hacker News - Newest: "LLM"
Google Online Security Blog
Google Online Security Blog
T
Tenable Blog
S
Security Affairs
博客园_首页
S
Schneier on Security
Security Latest
Security Latest
T
Threat Research - Cisco Blogs
T
Tailwind CSS Blog
大猫的无限游戏
大猫的无限游戏
Spread Privacy
Spread Privacy
量子位
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
K
Kaspersky official blog
Hugging Face - Blog
Hugging Face - Blog
TaoSecurity Blog
TaoSecurity Blog
博客园 - 聂微东
Vercel News
Vercel News
M
MIT News - Artificial intelligence
T
Troy Hunt's Blog
B
Blog
MongoDB | Blog
MongoDB | Blog
Martin Fowler
Martin Fowler
Attack and Defense Labs
Attack and Defense Labs
L
LINUX DO - 最新话题
D
DataBreaches.Net
cs.CV updates on arXiv.org
cs.CV updates on arXiv.org
Stack Overflow Blog
Stack Overflow Blog
cs.AI updates on arXiv.org
cs.AI updates on arXiv.org
博客园 - Franky
W
WeLiveSecurity
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
F
Fortinet All Blogs
www.infosecurity-magazine.com
www.infosecurity-magazine.com
C
Check Point Blog
H
Hacker News: Front Page

Clerk Changelog

Largest organizations report Flush elevation option for page-mounted components Groups and custom attributes mapping are now generally available Organizations support in OAuth Applications Improved observability with Application Logs Clerk CLI API Keys General Availability Directory Sync (SCIM) is now generally available Theme Expo native components from a JSON file Infinite scrolling in Overview tables Filter test users in Overview analytics Annual-only plans for Clerk Billing Preview Custom Session Claims Restrict end users from changing their identifiers Clerk Billing now supports plans with seat limits Overview for waitlist mode Clerk is now available in Stripe Projects Organization activity report Create and manage enterprise connections through Clerk's API Native React Native components, Google Sign-In, and Core 3 X social connection improvements JWT format support for M2M tokens Chrome Extension JavaScript SDK support Core 3 Organization retention report Require multi-factor authentication (MFA) on mobile Test enterprise connections with shareable links Clerk Convex integration for Swift and Kotlin Require multi-factor authentication (MFA) Improved visibility into Stripe account status Share Dashboard Analytics iOS and Android SDKs v1 New plans, more value User activity report Clerk Skills for AI Agents Custom plans and prices Automatically create first organization with smart naming User retention report Clerk MCP Server Sign-in with Solana Control available roles per organization with Role Sets Member role can no longer manage secret keys within the Clerk Dashboard JWT format support for OAuth access tokens Hide Incomplete Periods Manually force password resets Organization filters Organization Reports API Keys Public Beta Prebuilt Android Components Debug logs for enterprise connections Vercel SSO Provider Enable organizations from your app during development Manage organization roles and permissions through Clerk's API Use existing Stripe account for Clerk Billing Introducing Client Trust: Clerk’s free credential stuffing killer Update billing plan prices Native Sign in with Apple for Expo PKCE support for custom OAuth providers API Version 2025-11-10 Filter growth charts by churned users and organizations Command menu Start free trials without payment methods Organization Growth Analytics LLM Leaderboard M2M Tokens General Availability Infra Changelog - Oct 9, 2025 Clerk Leap Integration Organization slugs disabled by default Infra Changelog - Sep 25, 2025 SAML ForceAuthn Last-used sign-in method badge Android SDK General Availability Fetch user subscription Free trials for subscriptions Sign-in with Base Fetch organization subscription "Personal Accounts" disabled by default User cohorts in growth charts Production Testing Tokens M2M Tokens Public Beta shadcn/ui registry support Enabled ability to fetch billing plans Changes to allowlist and blocklist on sign in Android SDK Beta Prebuilt iOS Views Verified domains in Dashboard and in Backend API Protection against user enumeration Build custom flows with React and Clerk Billing Organization permissions are now unlimited Improved resilience with automatic regional failover MCP Server Support for Express New simple theme for easier customization End billing subscriptions immediately with the new End button Workspace level settings in the Dashboard Button components for Clerk Billing shadcn/ui theme compatibility Dark Mode for the Clerk Dashboard Clerk CSS variables support Clerk is now available on the Vercel Marketplace Organization Invitation Sorting
CVE-2025-53548
Bryce Kalow · 2025-07-09 · via Clerk Changelog

Summary

A vulnerability affecting @clerk/backend >= 2.0.0 < 2.4.0 was recently reported to the Clerk team and resolved. The vulnerability was discovered in the verifyWebhook() helper, which is used to verify incoming Clerk webhooks, and it allowed improperly signed webhook events to be accepted as legitimate. Potentially impacted customers have already been notified via email. If your application does not use verifyWebhook() you are not impacted.

Impact

Applications that use the verifyWebhook() helper to verify incoming Clerk webhooks are susceptible to accepting improperly signed webhook events.

Patches

  • @clerk/backend: the helper has been patched as of 2.4.0
  • @clerk/astro: the helper has been patched as of 2.10.2
  • @clerk/express: the helper has been patched as of 1.7.4
  • @clerk/fastify: the helper has been patched as of 2.4.4
  • @clerk/nextjs: the helper has been patched as of 6.23.3
  • @clerk/nuxt: the helper has been patched as of 1.7.5
  • @clerk/react-router: the helper has been patched as of 1.6.4
  • @clerk/remix: the helper has been patched as of 4.8.5
  • @clerk/tanstack-react-start: the helper has been patched as of 0.18.3

Resolution

The issue was resolved in @clerk/backend 2.4.0 by:

  • Properly parsing the webhook request's signatures and comparing them against the signature generated from the received event

Workarounds

If unable to upgrade, developers can workaround this issue by verifying webhooks manually, per this documentation.

Credits

Thanks to a Clerk customer for responsibly disclosing the issue to the team.

References