{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2025-53548", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2025-07-02T15:15:11.516Z", "datePublished": "2025-07-09T17:12:10.483Z", "dateUpdated": "2025-07-09T17:34:36.765Z"}, "containers": {"cna": {"title": "@clerk/backend Performs Insufficient Verification of Data Authenticity", "problemTypes": [{"descriptions": [{"cweId": "CWE-345", "lang": "en", "description": "CWE-345: Insufficient Verification of Data Authenticity", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/clerk/javascript/security/advisories/GHSA-9mp4-77wg-rwx9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/clerk/javascript/security/advisories/GHSA-9mp4-77wg-rwx9"}], "affected": [{"vendor": "clerk", "product": "javascript", "versions": [{"version": "< 2.4.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-07-09T17:12:10.483Z"}, "descriptions": [{"lang": "en", "value": "Clerk helps developers build user management. Applications that use the verifyWebhook() helper to verify incoming Clerk webhooks are susceptible to accepting improperly signed webhook events. The issue was resolved in @clerk/backend 2.4.0."}], "source": {"advisory": "GHSA-9mp4-77wg-rwx9", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-07-09T17:34:18.708328Z", "id": "CVE-2025-53548", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-09T17:34:36.765Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-53548", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-07-09T17:34:18.708328Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-07-09T17:34:28.635Z"}}], "cna": {"title": "@clerk/backend Performs Insufficient Verification of Data Authenticity", "source": {"advisory": "GHSA-9mp4-77wg-rwx9", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}], "affected": [{"vendor": "clerk", "product": "javascript", "versions": [{"status": "affected", "version": "< 2.4.0"}]}], "references": [{"url": "https://github.com/clerk/javascript/security/advisories/GHSA-9mp4-77wg-rwx9", "name": "https://github.com/clerk/javascript/security/advisories/GHSA-9mp4-77wg-rwx9", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Clerk helps developers build user management. Applications that use the verifyWebhook() helper to verify incoming Clerk webhooks are susceptible to accepting improperly signed webhook events. The issue was resolved in @clerk/backend 2.4.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-345", "description": "CWE-345: Insufficient Verification of Data Authenticity"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2025-07-09T17:12:10.483Z"}}}, "cveMetadata": {"cveId": "CVE-2025-53548", "state": "PUBLISHED", "dateUpdated": "2025-07-09T17:34:36.765Z", "dateReserved": "2025-07-02T15:15:11.516Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2025-07-09T17:12:10.483Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Clerk helps developers build user management. Applications that use the verifyWebhook() helper to verify incoming Clerk webhooks are susceptible to accepting improperly signed webhook events. The issue was resolved in @clerk/backend 2.4.0."}, {"lang": "es", "value": "Clerk ayuda a los desarrolladores a crear la gesti\u00f3n de usuarios. Las aplicaciones que usan el asistente verifyWebhook() para verificar los webhooks entrantes de Clerk son susceptibles de aceptar eventos de webhooks firmados incorrectamente. El problema se resolvi\u00f3 en @clerk/backend 2.4.0."}], "id": "CVE-2025-53548", "lastModified": "2025-07-10T13:17:30.017", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "[email protected]", "type": "Secondary"}]}, "published": "2025-07-09T18:15:24.157", "references": [{"source": "[email protected]", "url": "https://github.com/clerk/javascript/security/advisories/GHSA-9mp4-77wg-rwx9"}], "sourceIdentifier": "[email protected]", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-345"}], "source": "[email protected]", "type": "Primary"}]}

{}