Advisories for Npm/@Clerk/Backend package

2026

Clerk has an authorization bypass when combining organization, billing, or reverification checks

has(), auth.protect(), and related authorization predicates in @clerk/shared, @clerk/nextjs, @clerk/backend, and other framework SDKs can return true for certain combined authorization checks when the result should be false, allowing a gated action to proceed for a user who does not satisfy the full set of requested conditions. Sessions are not compromised and no existing user can be impersonated. The bypass is limited to the authorization decision returned by the predicate. …

Clerk: SSRF in the opt-in clerkFrontendApiProxy feature may leak secret keys to unintended host

The clerkFrontendApiProxy function in @clerk/backend is vulnerable to Server-Side Request Forgery (SSRF). An unauthenticated attacker can craft a request path that causes the proxy to send the application's Clerk-Secret-Key to an attacker-controlled server.

2025

@clerk/backend Performs Insufficient Verification of Data Authenticity

Applications that use the verifyWebhook() helper to verify incoming Clerk webhooks are susceptible to accepting improperly signed webhook events.