Critical 9.1 CVSS Bypass in Clerk’s Middleware Gating

A critical security vulnerability has been uncovered in Clerk, a popular user management platform. The flaw, which carries a CVSS score of 9.1, impacts the createRouteMatcher utility across several major frameworks, including Next.js, Nuxt, and Astro.

The core of the issue lies in how createRouteMatcher evaluates incoming requests. Researchers found that specifically crafted requests can bypass the middleware-level gating decision, allowing unauthorized traffic to reach downstream handlers like API routes, server components, or server actions.

For developers relying solely on middleware for security, this presents a significant risk. As the advisory explains: “Apps relying only on middleware gating via createRouteMatcher are affected, because a crafted request can skip middleware checks and reach downstream handlers”.

Despite the critical rating, the scope of the vulnerability is strictly limited to the initial “gatekeeping” layer. “Sessions are not compromised and no existing user can be impersonated – the bypass only affects the middleware-level gating decision,” Clerk confirmed.

Crucially, the underlying authentication state remains intact. The clerkMiddleware still correctly authenticates the request, and the auth() function accurately reflects whether the caller is logged in. This means that if an application has additional security checks within its actual route handlers or components, those defenses will continue to function correctly.

Clerk has released a comprehensive set of patches across all affected frameworks. These updates are designed as “drop-in” fixes with no required API changes, making the upgrade process straightforward for developers.

Fixed Versions by Framework:

• @clerk/nextjs: Fixed in versions 7.2.1 (v7.x), 6.39.2 (v6.x), and 5.7.6 (v5.x).
• @clerk/nuxt: Fixed in versions 2.2.2 (v2.x) and 1.13.28 (v1.x).
• @clerk/astro: Fixed in versions 3.0.15 (v3.x), 2.17.10 (v2.x), and 1.5.7 (v1.x).
• @clerk/shared: Fixed in 4.8.1 (v4.x), 3.47.4 (v3.x), and 2.22.1 (v2.x).

For those who cannot upgrade their dependencies immediately, there is a reliable way to harden their applications. By adding server-side auth checks (using the auth() function) directly inside route handlers and server components, developers can provide a critical second layer of security.

“Adding server-side auth checks (auth()) inside your route handlers, server components, or server actions provides defense-in-depth against this bypass,” the advisory recommends.