@clerk/clerk-js 5.119.0

Direct Vulnerabilities

Known vulnerabilities in the @clerk/clerk-js package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Incorrect Authorization @clerk/clerk-js is a Clerk JS library Affected versions of this package are vulnerable to Incorrect Authorization through the `createProtect` and `createCheckAuthorization` functions. An attacker can gain access to protected pages or handlers by supplying a single `auth.protect()` or `has()` call that mixes authorization criteria with redirect/token options, or by combining multiple authorization dimensions where one should deny but is treated as indeterminate. The vulnerable logic in `createProtect` can bypass role, permission, feature, plan, or re-verification checks when the same object also includes `unauthenticatedUrl`, `unauthorizedUrl`, or `token`, allowing authenticated callers through without the intended authorization test. In `createCheckAuthorization`, combined checks across organization, billing, and reverification can return success when one dimension passes, and another lacks valid session data, allowing users to reach admin-only or otherwise restricted functionality and bypass access controls. Note: From the project maintainers: If you pin @clerk/clerk-js directly, upgrade it to the patched version. Most apps load @clerk/clerk-js from Clerk's CDN through their framework package and will receive the fix automatically, with no upgrade step required. How to fix Incorrect Authorization? Upgrade `@clerk/clerk-js` to version 5.125.10, 6.7.5 or higher.	>=5.22.0 <5.125.10>=6.0.0 <6.7.5

Vulnerability

Vulnerable Version

Incorrect Authorization

@clerk/clerk-js is a Clerk JS library

Affected versions of this package are vulnerable to Incorrect Authorization through the createProtect and createCheckAuthorization functions. An attacker can gain access to protected pages or handlers by supplying a single auth.protect() or has() call that mixes authorization criteria with redirect/token options, or by combining multiple authorization dimensions where one should deny but is treated as indeterminate.

The vulnerable logic in createProtect can bypass role, permission, feature, plan, or re-verification checks when the same object also includes unauthenticatedUrl, unauthorizedUrl, or token, allowing authenticated callers through without the intended authorization test. In createCheckAuthorization, combined checks across organization, billing, and reverification can return success when one dimension passes, and another lacks valid session data, allowing users to reach admin-only or otherwise restricted functionality and bypass access controls.

Note: From the project maintainers: If you pin @clerk/clerk-js directly, upgrade it to the patched version. Most apps load @clerk/clerk-js from Clerk's CDN through their framework package and will receive the fix automatically, with no upgrade step required.

How to fix Incorrect Authorization?

Upgrade @clerk/clerk-js to version 5.125.10, 6.7.5 or higher.

>=5.22.0 <5.125.10>=6.0.0 <6.7.5

@clerk/clerk-js@5.119.0

Clerk JS library

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically