@clerk/shared 4.3.3-canary.v20260323213541

Direct Vulnerabilities

Known vulnerabilities in the @clerk/shared package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Incorrect Authorization @clerk/shared is an Internal package utils used by the Clerk SDKs Affected versions of this package are vulnerable to Incorrect Authorization through the `createProtect` and `createCheckAuthorization` functions. An attacker can gain access to protected pages or handlers by supplying a single `auth.protect()` or `has()` call that mixes authorization criteria with redirect/token options, or by combining multiple authorization dimensions where one should deny but is treated as indeterminate. The vulnerable logic in `createProtect` can bypass role, permission, feature, plan, or re-verification checks when the same object also includes `unauthenticatedUrl`, `unauthorizedUrl`, or `token`, allowing authenticated callers through without the intended authorization test. In `createCheckAuthorization`, combined checks across organization, billing, and reverification can return success when one dimension passes, and another lacks valid session data, allowing users to reach admin-only or otherwise restricted functionality and bypass access controls. Note: From the project maintainers: If you pin @clerk/clerk-js directly, upgrade it to the patched version. Most apps load @clerk/clerk-js from Clerk's CDN through their framework package and will receive the fix automatically, with no upgrade step required. How to fix Incorrect Authorization? Upgrade `@clerk/shared` to version 3.47.5, 4.8.3 or higher.	>=3.0.0 <3.47.5>=4.0.0 <4.8.3
C Incorrect Authorization @clerk/shared is an Internal package utils used by the Clerk SDKs Affected versions of this package are vulnerable to Incorrect Authorization via the `createPathMatcher()` function in `@clerk/shared` used by downstream `createRouteMatcher()`. An attacker can gain unauthorized access to protected routes by crafting requests that bypass middleware checks and reach downstream handlers. How to fix Incorrect Authorization? Upgrade `@clerk/shared` to version 2.22.1, 3.47.4, 4.8.1 or higher.	>=2.20.17 <2.22.1>=3.47.3 <3.47.4>=4.0.0 <4.8.1

Vulnerability

Vulnerable Version

Incorrect Authorization

@clerk/shared is an Internal package utils used by the Clerk SDKs

Affected versions of this package are vulnerable to Incorrect Authorization through the createProtect and createCheckAuthorization functions. An attacker can gain access to protected pages or handlers by supplying a single auth.protect() or has() call that mixes authorization criteria with redirect/token options, or by combining multiple authorization dimensions where one should deny but is treated as indeterminate.

The vulnerable logic in createProtect can bypass role, permission, feature, plan, or re-verification checks when the same object also includes unauthenticatedUrl, unauthorizedUrl, or token, allowing authenticated callers through without the intended authorization test. In createCheckAuthorization, combined checks across organization, billing, and reverification can return success when one dimension passes, and another lacks valid session data, allowing users to reach admin-only or otherwise restricted functionality and bypass access controls.

Note: From the project maintainers: If you pin @clerk/clerk-js directly, upgrade it to the patched version. Most apps load @clerk/clerk-js from Clerk's CDN through their framework package and will receive the fix automatically, with no upgrade step required.

How to fix Incorrect Authorization?

Upgrade @clerk/shared to version 3.47.5, 4.8.3 or higher.

>=3.0.0 <3.47.5>=4.0.0 <4.8.3

Incorrect Authorization

@clerk/shared is an Internal package utils used by the Clerk SDKs

Affected versions of this package are vulnerable to Incorrect Authorization via the createPathMatcher() function in @clerk/shared used by downstream createRouteMatcher(). An attacker can gain unauthorized access to protected routes by crafting requests that bypass middleware checks and reach downstream handlers.

How to fix Incorrect Authorization?

Upgrade @clerk/shared to version 2.22.1, 3.47.4, 4.8.1 or higher.

>=2.20.17 <2.22.1>=3.47.3 <3.47.4>=4.0.0 <4.8.1

@clerk/shared@4.3.3-canary.v20260323213541

Internal package utils used by the Clerk SDKs

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically