CVE-2025-63700: Clerk-js vulnerable to bypass of OAuth authentication flow by manipulating request at OTP verification stage

November 20, 2025 (updated November 21, 2025)

An issue was discovered in Clerk-js 5.88.0 allowing attackers to bypass the OAuth authentication flow by manipulating the request at the OTP verification stage.

References

clerk.com/
github.com/advisories/GHSA-3mm3-wfpv-q85g
github.com/clerk/javascript
github.com/itsnishat08/CVE-2025-63700
nvd.nist.gov/vuln/detail/CVE-2025-63700

Code Behaviors & Features

Detect and mitigate CVE-2025-63700 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →