Clerk SDKs fix createRouteMatcher middleware bypass
TL;DR - createRouteMatcher in Clerk's Next.js/Nuxt/Astro SDKs can be bypassed by crafted requests, letting traffic skip middleware gating and reach downstream handlers (CVSS 9.1).
What happened
Clerk JavaScript is the official SDK set used to integrate Clerk authentication into frameworks like Next.js, Nuxt, and Astro.
CVE-2026-41248 is a middleware route-protection bypass: createRouteMatcher can be bypassed by certain crafted requests, allowing requests to skip the intended middleware gating and still hit downstream handlers. The CVE is scored CVSS 3.1 9.1 (Critical).
This is a high-leverage failure mode because many teams put their primary auth gate in framework middleware. When that gate is bypassable, every downstream handler becomes a potential unauthenticated entry point.
Who is impacted
- Applications using
createRouteMatchervia@clerk/nextjs,@clerk/nuxt, or@clerk/astroin the affected version ranges.
| Package | Affected versions (per CVE record) | Fixed versions (per CVE record) |
|---|---|---|
@clerk/nextjs | >= 5.0.0, < 5.7.6 | 5.7.6 |
@clerk/nextjs | >= 6.0.0-snapshot.vb87a27f, < 6.39.2 | 6.39.2 |
@clerk/nextjs | >= 7.0.0, < 7.2.1 | 7.2.1 |
@clerk/nuxt | >= 1.1.0, < 1.13.28 | 1.13.28 |
@clerk/nuxt | >= 2.0.0, < 2.2.2 | 2.2.2 |
@clerk/astro | >= 0.0.1, < 1.5.7 | 1.5.7 |
@clerk/astro | >= 2.0.0-snapshot.v20241206174604, <= 2.17.9 | 2.17.10 |
@clerk/astro | >= 3.0.0, < 3.0.15 | 3.0.15 |
@clerk/shared | >= 2.20.17, < 2.22.1 | 2.22.1 |
@clerk/shared | >= 3.0.0-canary.v20250225091530, < 3.47.4 | 3.47.4 |
@clerk/shared | >= 4.0.0, < 4.8.1 | 4.8.1 |
What to do now
- Follow vendor remediation guidance and update to a release that includes the fix for your SDK line.
"This vulnerability is fixed in @clerk/nextjs 5.7.6, 6.39.2, and 7.2.1."
- Inventory where Clerk middleware gating is used (especially any authz decisions that rely on
createRouteMatcher) and confirm deployed package versions from lockfiles, built artifacts, and container images. - Treat this as an auth boundary failure until patched:
- review access logs for unexpected requests reaching routes that should only be reachable after middleware gating
- validate that downstream handlers still enforce authorization server-side (defense-in-depth) and are not relying solely on middleware path gating
Related
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.