CVE-2026-34076 Clerk JavaScript: SSRF in the opt-in clerkFrontendApiProxy feature may leak secret keys to unintended host

Clerk JavaScript is the official JavaScript repository for Clerk authentication. In @clerk/hono from versions 0.1.0 to before 0.1.5, @clerk/express from versions 2.0.0 to before 2.0.7, @clerk/backend from versions 3.0.0 to before 3.2.3, and @clerk/fastify from versions 3.1.0 to before 3.1.5, the...

GHSA-GJXX-92W9-8V8F Clerk: SSRF in the opt-in clerkFrontendApiProxy feature may leak secret keys to unintended host

Summary The clerkFrontendApiProxy function in @clerk/backend is vulnerable to Server-Side Request Forgery SSRF. An unauthenticated attacker can craft a request path that causes the proxy to send the application's Clerk-Secret-Key to an attacker-controlled server. Affected packages Only applicatio...

Server-side Request Forgery (SSRF)

Overview @clerk/backend is a Clerk Backend SDK - REST Client for Backend API & JWT verification utilities Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the clerkFrontendApiProxy function. An attacker can obtain secret keys by crafting a request path that...

PT-2026-28602

Summary The clerkFrontendApiProxy function in @clerk/backend is vulnerable to Server-Side Request Forgery SSRF. An unauthenticated attacker can craft a request path that causes the proxy to send the application's Clerk-Secret-Key to an attacker-controlled server. Affected packages Only applicatio...

EUVD-2024-16343

Malicious code in bioql PyPI...

MAL-2025-41825 Malicious code in @callcenter-frontend/api (npm)

The package communicates with a domain associated with malicious activity. --- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 924eeec3ead0762c18ae254572edc5e76a3a27d3003bdea3c80eb6902fccf7c8 The OpenSSF Package Analysis project identified...

Malicious code in @callcenter-frontend/api (npm)

The package communicates with a domain associated with malicious activity. --- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis 924eeec3ead0762c18ae254572edc5e76a3a27d3003bdea3c80eb6902fccf7c8 The OpenSSF Package Analysis project identified...

Malicious code in @tiktok-frontend/api-demo-sample-lib2 (npm)

The package @tiktok-frontend/api-demo-sample-lib2 was found to contain malicious code...

CVE-2024-0550

A user who is privileged already manager or admin can set their profile picture via the frontend API using a relative filepath to then user the PFP GET API to download any valid files. The attacker would have to have been granted privileged permissions to the system before executing this attack...

Design/Logic Flaw

A user who is privileged already manager or admin can set their profile picture via the frontend API using a relative filepath to then user the PFP GET API to download any valid files. The attacker would have to have been granted privileged permissions to the system before executing this attack...

CVE-2024-0550

CVE-2024-0550 describes a traversal-like flaw where a user with privileged rights (manager/admin) can set their profile picture via the frontend API using a relative filepath, then invoke the PFP GET API to read/download arbitrary files. This is evidenced by multiple sources (e.g., Red Hat, NVD, ...

PT-2024-15650 · Git +2 · Anything-Llm +1

Name of the Vulnerable Software and Affected Versions: No specific software or versions are mentioned in the provided descriptions. Description: A user who is already privileged as manager or admin can exploit this issue by setting their profile picture via the frontend API using a relative...