releases.shpreview

Auth bypass fixed; Clerk middleware now trusted

@clerk/express@2.1.25

1 fixThis release1 fixBug fixesAI-tallied from the release notes
From the original release noteView original ↗

Patch Changes

  • Fix an authentication bypass where a req.auth value set by another library (such as express-jwt, Passport, or express-openid-connect) caused clerkMiddleware() and requireAuth() to silently skip Clerk authentication, and getAuth() to return the unverified foreign value. Clerk now brands the req.auth handler it installs and only trusts that handler: clerkMiddleware() authenticates the request and overwrites a foreign req.auth (logging a warning when it does), and getAuth() throws its "middleware required" error instead of reading foreign data. (#8804) by @jacekradko

  • Updated dependencies [a5c7bc7]:

    • @clerk/shared@4.17.0
    • @clerk/backend@3.6.1

Fetched June 10, 2026

Auth bypass fixed; Clerk middleware now trusted… — releases.sh