Highnikosdouvlis

Name of the Vulnerable Software and Affected Versions @clerk/backend versions 3.0.0 through 3.2.2 @clerk/express versions 2.0.0 through 2.0.6 @clerk/hono versions 0.1.0 through 0.1.4 @clerk/fastify versions 3.1.0 through 3.1.4 Description The `clerkFrontendApiProxy` function is susceptible to Server-Side Request Forgery (SSRF). An unauthenticated attacker can manipulate a request path to cause the proxy to transmit the application's `Clerk-Secret-Key` to a server controlled by the attacker. The vulnerability affects applications that have explicitly enabled the `frontendApiProxy` feature. Recommendations Upgrade to @clerk/backend version 3.2.3 or later. Upgrade to @clerk/express version 2.0.7 or later. Upgrade to @clerk/hono version 0.1.5 or later. Upgrade to @clerk/fastify version 3.1.5 or later. Rotate your Clerk Secret Key after upgrading.