Intel

AIKIDO-2026-395995

@clerk/express is vulnerable to Authentication Bypass

Authentication Bypass Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published 6 days ago

59

Medium Risk

This Affects:

JS@clerk/express
0.0.1 - 2.1.24
Fixed in 2.1.25
Are you affected? Scan for Free

TL;DR

@clerk/express provides authentication middleware and helpers for Express applications. The middleware and helpers decide that authentication already ran by checking only for the presence of a req.auth property, a name also used by other authentication libraries such as express-jwt, Passport, and express-openid-connect. When one of those libraries runs first and sets req.auth, clerkMiddleware() and requireAuth() skip Clerk authentication and getAuth() returns the other library's unverified value, so a request can pass authentication checks without a valid Clerk session. The fix brands the handler Clerk installs and trusts only that branded handler, overwriting any foreign req.auth.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and your application also uses another authentication library that sets req.auth.

Background info

@clerk/express is vulnerable to Authentication Bypass in versions 0.0.1 - 2.1.24.

How to fix this

Upgrade the @clerk/express library to the patch version.