@clerk/express is vulnerable to Authentication Bypass
59
Medium Risk
@clerk/express provides authentication middleware and helpers for Express applications. The middleware and helpers decide that authentication already ran by checking only for the presence of a req.auth property, a name also used by other authentication libraries such as express-jwt, Passport, and express-openid-connect. When one of those libraries runs first and sets req.auth, clerkMiddleware() and requireAuth() skip Clerk authentication and getAuth() returns the other library's unverified value, so a request can pass authentication checks without a valid Clerk session. The fix brands the handler Clerk installs and trusts only that branded handler, overwriting any foreign req.auth.
You are affected if you are using a version that falls within the vulnerable range and your application also uses another authentication library that sets req.auth.
@clerk/express is vulnerable to Authentication Bypass in versions 0.0.1 - 2.1.24.
Upgrade the @clerk/express library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant