Описание
@clerk/backend Performs Insufficient Verification of Data Authenticity
Impact
Applications that use the verifyWebhook() helper to verify incoming Clerk webhooks are susceptible to accepting improperly signed webhook events.
Patches
@clerk/backend: the helper has been patched as of2.4.0@clerk/astro: the helper has been patched as of2.10.2@clerk/express: the helper has been patched as of1.7.4@clerk/fastify: the helper has been patched as of2.4.4@clerk/nextjs: the helper has been patched as of6.23.3@clerk/nuxt: the helper has been patched as of1.7.5@clerk/react-router: the helper has been patched as of1.6.4@clerk/remix: the helper has been patched as of4.8.5@clerk/tanstack-react-start: the helper has been patched as of0.18.3
Resolution
The issue was resolved in @clerk/backend 2.4.0 by:
- Properly parsing the webhook request's signatures and comparing them against the signature generated from the received event
Workarounds
If unable to upgrade, developers can workaround this issue by verifying webhooks manually, per this documentation.
Пакеты
@clerk/backend
>= 2.0.0, < 2.4.0
2.4.0
@clerk/astro
>= 2.9.0, < 2.10.2
2.10.2
@clerk/express
>= 1.6.0, < 1.7.4
1.7.4
@clerk/fastify
>= 2.3.0, < 2.4.4
2.4.4
@clerk/nextjs
>= 6.2.10, < 6.23.3
6.23.3
@clerk/nuxt
>= 1.7.0, < 1.7.5
1.7.5
@clerk/react-router
>= 1.5.0, < 1.6.4
1.6.4
@clerk/remix
>= 4.8.0, < 4.8.5
4.8.5
@clerk/tanstack-react-start
>= 0.16.0, < 0.18.3
0.18.3
Связанные уязвимости
Clerk helps developers build user management. Applications that use the verifyWebhook() helper to verify incoming Clerk webhooks are susceptible to accepting improperly signed webhook events. The issue was resolved in @clerk/backend 2.4.0.