Description
Clerk JavaScript is the official JavaScript repository for Clerk authentication. In @clerk/hono from versions 0.1.0 to before 0.1.5, @clerk/express from versions 2.0.0 to before 2.0.7, @clerk/backend from versions 3.0.0 to before 3.2.3, and @clerk/fastify from versions 3.1.0 to before 3.1.5, the clerkFrontendApiProxy function in @clerk/backend is vulnerable to Server-Side Request Forgery (SSRF). An unauthenticated attacker can craft a request path that causes the proxy to send the application's Clerk-Secret-Key to an attacker-controlled server. This issue has been patched in @clerk/hono version 0.1.5, @clerk/express version 2.0.7, @clerk/backend version 3.2.3, and @clerk/fastify version 3.1.5.
Published: 2026-04-01
Score: 7.4 High
EPSS: < 1% Very Low
KEV: No
Impact: Secret key disclosure via SSRF
Action: Immediate Patch
AI Analysis

Impact

Clerk JavaScript’s clerkFrontendApiProxy feature is susceptible to Server-Side Request Forgery, allowing an unauthenticated attacker to craft a request path that causes the proxy to forward the application’s Clerk‑Secret‑Key to an external host. The vulnerability, identified as CWE‑918, results in a confidentiality breach that could enable the attacker to perform further malicious actions or gain unauthorized access to protected resources.

Affected Systems

The issue affects Clerk’s official JavaScript SDK, specifically @clerk/hono versions 0.1.0 to 0.1.4, @clerk/express versions 2.0.0 to 2.0.6, @clerk/backend versions 3.0.0 to 3.2.2, and @clerk/fastify versions 3.1.0 to 3.1.4. Updated releases are available that contain the fix.

Risk and Exploitability

With a CVSS score of 7.4 the vulnerability is considered high severity. While EPSS data is unavailable and it is not listed in the CISA KEV catalog, the vulnerability can be exploited without authentication, provided the attacker can send a crafted request to the application. The attack path involves supplying a malicious path to the clerkFrontendApiProxy endpoint, which will then forward the secret key to the attacker-controlled server, potentially exposing credentials used by the application.

Generated by OpenCVE AI on April 2, 2026 at 03:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade all Clerk packages to the patched versions: @clerk/hono v0.1.5 or newer, @clerk/express v2.0.7 or newer, @clerk/backend v3.2.3 or newer, @clerk/fastify v3.1.5 or newer.

Generated by OpenCVE AI on April 2, 2026 at 03:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gjxx-92w9-8v8f Clerk: SSRF in the opt-in clerkFrontendApiProxy feature may leak secret keys to unintended host
History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Clerk
Clerk javascript
Vendors & Products Clerk
Clerk javascript

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Clerk JavaScript is the official JavaScript repository for Clerk authentication. In @clerk/hono from versions 0.1.0 to before 0.1.5, @clerk/express from versions 2.0.0 to before 2.0.7, @clerk/backend from versions 3.0.0 to before 3.2.3, and @clerk/fastify from versions 3.1.0 to before 3.1.5, the clerkFrontendApiProxy function in @clerk/backend is vulnerable to Server-Side Request Forgery (SSRF). An unauthenticated attacker can craft a request path that causes the proxy to send the application's Clerk-Secret-Key to an attacker-controlled server. This issue has been patched in @clerk/hono version 0.1.5, @clerk/express version 2.0.7, @clerk/backend version 3.2.3, and @clerk/fastify version 3.1.5.
Title Clerk JavaScript: SSRF in the opt-in clerkFrontendApiProxy feature may leak secret keys to unintended host
Weaknesses CWE-918
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Subscriptions

Clerk Javascript
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-01T18:00:23.118Z

Reserved: 2026-03-25T16:21:40.868Z

Link: CVE-2026-34076

cve-icon Vulnrichment

Updated: 2026-04-01T18:00:19.126Z

cve-icon NVD

Status : Deferred

Published: 2026-04-01T18:16:29.527

Modified: 2026-04-29T20:58:46.330

Link: CVE-2026-34076

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:17:11Z

Weaknesses