@clerk/chrome-extension (>=3.0.0 <=3.1.32-canary.v20260529204536), @clerk/expo (>=3.0.0 <=3.3.1-canary.v20260529204536) +3 more potentially affected by CVE-2026-42349 via @clerk/clerk-js (>=6.0.1-canary.v20260303211310 <=6.7.5-snapshot.v20260421194054)

@clerk/clerk-js NPM version =6.0.1-canary.v20260303211310, =3.0.0, =3.0.0, =0.2.13, =0.2.0, =0.8.3 - tauri-plugin-clerk =0.1.1 Source cves: CVE-2026-42349 Source advisory: SNYK:JS-CLERKCLERKJS-16347748...

@clerk/chrome-extension (>=3.0.0 <=3.1.32-canary.v20260529204536), @clerk/expo (>=3.0.0 <=3.3.1-canary.v20260529204536) +3 more potentially affected by CVE-2026-42349 via @clerk/clerk-js (>=6.0.1-canary.v20260303211310 <=6.7.5-snapshot.v20260421194054)

@clerk/clerk-js NPM version =6.0.1-canary.v20260303211310, =3.0.0, =3.0.0, =0.2.13, =0.2.0, =0.8.3 - tauri-plugin-clerk =0.1.1 Source cves: CVE-2026-42349 Source advisory: OSV:GHSA-W24R-5266-9C3C...

PT-2026-36820

Name of the Vulnerable Software and Affected Versions @clerk/clerk-js versions prior to 5.125.10 @clerk/clerk-js versions prior to 6.7.5 @clerk/shared affected versions not specified @clerk/nextjs affected versions not specified @clerk/backend affected versions not specified Description...

MAL-2026-410 Malicious code in clerk-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 380b4e8d88a5d8a96ffe344566787326dbace52224d29a853cd4553fac40bd1c The package clerk-js was found to contain malicious code. Source: ghsa-malware 2433ecd39bbf328a21740fa34f33bb09d575e76f6f280b915c7ea15fbc55c2b3 Any...

Malicious Package

Overview clerk-js is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorship...

Malicious code in clerk-js (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 380b4e8d88a5d8a96ffe344566787326dbace52224d29a853cd4553fac40bd1c The package clerk-js was found to contain malicious code. Source: ghsa-malware 2433ecd39bbf328a21740fa34f33bb09d575e76f6f280b915c7ea15fbc55c2b3 Any...

EUVD-2026-3737

Malicious code in clerk-js npm...

CVE-2025-63700

An issue was discovered in clerk-js 5.88.0 allowing attackers to bypass the OAuth authentication flow by manipulating the request at the OTP verification stage. NOTE: this is disputed by the Supplier because there is no available information to reproduce the issue, and because an OAuth...

Clerk-js vulnerable to bypass of OAuth authentication flow by manipulating request at OTP verification stage

An issue was discovered in Clerk-js 5.88.0 allowing attackers to bypass the OAuth authentication flow by manipulating the request at the OTP verification stage...

@authsome/adapter-clerk (>=0.1.1 <=0.1.12), @billyjacoby/clerk-react-native (>=1.0.0 <=1.0.4) +51 more potentially affected by CVE-2025-63700 via @clerk/clerk-js (>=1.35.1 <=5.85.0)

@clerk/clerk-js NPM version =1.35.1, =0.1.1, =1.0.0, =1.0.16, =1.0.1, =0.2.0, =0.0.1, =2.19.0, =0.1.0, =0.24.2-dev-clerk, =0.24.2-dev-clerk, =0.24.3-dev-ensure-cloud-token-6, =0.0.0, =0.0.5, =0.0.21 and more Source cves: CVE-2025-63700 Source advisory: OSV:GHSA-3MM3-WFPV-Q85G...

GHSA-3MM3-WFPV-Q85G Clerk-js vulnerable to bypass of OAuth authentication flow by manipulating request at OTP verification stage

An issue was discovered in Clerk-js 5.88.0 allowing attackers to bypass the OAuth authentication flow by manipulating the request at the OTP verification stage...

CVE-2025-63700

Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: none. Reason: This record was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none...

CVE-2025-63700

...