GHSA-gjxx-92w9-8v8f
Suggest an improvement- Source
- https://github.com/advisories/GHSA-gjxx-92w9-8v8f
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/03/GHSA-gjxx-92w9-8v8f/GHSA-gjxx-92w9-8v8f.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-gjxx-92w9-8v8f
- Aliases
-
- CVE-2026-34076
- Published
- 2026-03-27T19:58:19Z
- Modified
- 2026-04-06T17:04:07.972168Z
- Severity
-
- 7.4 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N CVSS Calculator
- Summary
- Clerk: SSRF in the opt-in clerkFrontendApiProxy feature may leak secret keys to unintended host
- Details
-
Summary
The
clerkFrontendApiProxyfunction in@clerk/backendis vulnerable to Server-Side Request Forgery (SSRF). An unauthenticated attacker can craft a request path that causes the proxy to send the application'sClerk-Secret-Keyto an attacker-controlled server.Affected packages
Only applications that have opted into the
frontendApiProxyfeature are affected. This feature is not enabled by default. Users of@clerk/nextjsare not affected due to how the framework handles repeated/in request paths.| Package | Affected versions | Fixed version | |---|---|---| |
@clerk/backend|>= 3.0.0, <= 3.2.2|3.2.3| |@clerk/express|>= 2.0.0, <= 2.0.6|2.0.7| |@clerk/hono|>= 0.1.0, <= 0.1.4|0.1.5| |@clerk/fastify|>= 3.1.0, <= 3.1.4|3.1.5|Search your codebase for the
frontendApiProxyoption. If none of the patterns below appear in your code, you are not affected.@clerk/express
app.use(clerkMiddleware({ frontendApiProxy: { enabled: true } }));@clerk/hono
app.use('*', clerkMiddleware({ frontendApiProxy: { enabled: true } }));@clerk/fastify
fastify.register(clerkPlugin, { frontendApiProxy: { enabled: true } });@clerk/backend
import { clerkFrontendApiProxy } from '@clerk/backend/proxy';A quick way to check across your entire project:
grep -r "frontendApiProxy\|clerkFrontendApiProxy" .If there are no matches, you are not using this feature.
Recommended actions
Clerk's internal logs show no evidence of users utilizing the built-in proxy with the impacted versions. Despite that, if you are on an impacted version and use the built-in proxy we recommend upgrading and rotating your Clerk Secret Key immediately.
- Upgrade to the patched version of
@clerk/backend(and@clerk/express,@clerk/hono, etc.) - Rotate your Clerk Secret Key after upgrading - if an attacker exploited this vulnerability, they may have captured your key. Rotate it in the Clerk Dashboard under API Keys. You should deploy your application with the updated key before revoking the existing key.
- Audit access logs for requests to your proxy endpoint (
/__clerk/by default) containing double slashes in the path.
Credit
Discovered during an internal code audit.
- Upgrade to the patched version of
- Database specific
{ "cwe_ids": [ "CWE-918" ], "github_reviewed": true, "github_reviewed_at": "2026-03-27T19:58:19Z", "nvd_published_at": "2026-04-01T18:16:29Z", "severity": "HIGH" }- References
Affected packages
npm / @clerk/backend
Package
- Name
- @clerk/backend
- View open source insights on deps.dev
- Purl
- pkg:npm/%40clerk/backend
npm / @clerk/express
Package
- Name
- @clerk/express
- View open source insights on deps.dev
- Purl
- pkg:npm/%40clerk/express
npm / @clerk/hono
Package
- Name
- @clerk/hono
- View open source insights on deps.dev
- Purl
- pkg:npm/%40clerk/hono
npm / @clerk/fastify
Package
- Name
- @clerk/fastify
- View open source insights on deps.dev
- Purl
- pkg:npm/%40clerk/fastify