Auth bypass fixed; Clerk middleware now trusted
@clerk/express@2.1.25
Patch Changes
-
Fix an authentication bypass where a
req.authvalue set by another library (such asexpress-jwt, Passport, orexpress-openid-connect) causedclerkMiddleware()andrequireAuth()to silently skip Clerk authentication, andgetAuth()to return the unverified foreign value. Clerk now brands thereq.authhandler it installs and only trusts that handler:clerkMiddleware()authenticates the request and overwrites a foreignreq.auth(logging a warning when it does), andgetAuth()throws its "middleware required" error instead of reading foreign data. (#8804) by @jacekradko -
Updated dependencies [
a5c7bc7]:- @clerk/shared@4.17.0
- @clerk/backend@3.6.1
Fetched June 10, 2026


