fix(backend): Do not throw on malformed host values (#7370)

brkalow · jacekradko · nikosdouvlis · web-flow · commit 84483c2a710c · 2025-12-09T10:44:09.000-06:00
Co-authored-by: Jacek Radko &lt;jacek@clerk.dev&gt;
Co-authored-by: Nikos Douvlis &lt;nikosdouvlis@gmail.com&gt;
diff --git a/.changeset/gentle-clouds-heal.md b/.changeset/gentle-clouds-heal.md
@@ -0,0 +1,5 @@
+---
+'@clerk/backend': patch
+---
+
+Fixes an issue with host header parsing that would cause Clerk to throw an exception when receiving malformed host values.
diff --git a/packages/backend/src/tokens/__tests__/clerkRequest.test.ts b/packages/backend/src/tokens/__tests__/clerkRequest.test.ts
@@ -158,6 +158,39 @@ describe('createClerkRequest', () => {
       const req2 = new Request('http://localhost:3000////path');
       expect(createClerkRequest(req2).clerkUrl.toString()).toBe('http://localhost:3000////path');
     });
+
+    it('handles malicious host header with script injection gracefully', () => {
+      const req = new Request('http://localhost:3000/path', {
+        headers: {
+          'x-forwarded-host': 'z2cgvm.xfh"></script><script>alert(document.domain);</script>/',
+          'x-forwarded-proto': 'https',
+        },
+      });
+      expect(() => createClerkRequest(req)).not.toThrow();
+      expect(createClerkRequest(req).clerkUrl.toString()).toBe('http://localhost:3000/path');
+    });
+
+    it('handles malicious host header with invalid characters gracefully', () => {
+      const req = new Request('http://localhost:3000/path?foo=bar', {
+        headers: {
+          'x-forwarded-host': '<invalid>host',
+          'x-forwarded-proto': 'https',
+        },
+      });
+      expect(() => createClerkRequest(req)).not.toThrow();
+      expect(createClerkRequest(req).clerkUrl.toString()).toBe('http://localhost:3000/path?foo=bar');
+    });
+
+    it('handles empty forwarded headers gracefully', () => {
+      const req = new Request('http://localhost:3000/path', {
+        headers: {
+          'x-forwarded-host': '',
+          'x-forwarded-proto': '',
+        },
+      });
+      expect(() => createClerkRequest(req)).not.toThrow();
+      expect(createClerkRequest(req).clerkUrl.toString()).toBe('http://localhost:3000/path');
+    });
   });
 
   describe('toJSON', () => {
diff --git a/packages/backend/src/tokens/clerkRequest.ts b/packages/backend/src/tokens/clerkRequest.ts
@@ -59,7 +59,12 @@ class ClerkRequest extends Request {
     if (origin === initialUrl.origin) {
       return createClerkUrl(initialUrl);
     }
-    return createClerkUrl(initialUrl.pathname + initialUrl.search, origin);
+
+    try {
+      return createClerkUrl(initialUrl.pathname + initialUrl.search, origin);
+    } catch {
+      return createClerkUrl(initialUrl);
+    }
   }
 
   private getFirstValueFromHeader(value?: string | null) {

-Original file line number
+Diff line change
@@ @@ -0,0 +1,5 @@ @@
 +---
 +'@clerk/backend': patch
 +---
++
 +Fixes an issue with host header parsing that would cause Clerk to throw an exception when receiving malformed host values.
Original file line number	Diff line number	Diff line change
`@@ -59,7 +59,12 @@ class ClerkRequest extends Request {`
`59`	`59`	`if (origin === initialUrl.origin) {`
`60`	`60`	`return createClerkUrl(initialUrl);`
`61`	`61`	`}`
`62`		`- return createClerkUrl(initialUrl.pathname + initialUrl.search, origin);`
	`62`	`+`
	`63`	`+ try {`
	`64`	`+ return createClerkUrl(initialUrl.pathname + initialUrl.search, origin);`
	`65`	`+ } catch {`
	`66`	`+ return createClerkUrl(initialUrl);`
	`67`	`+ }`
`63`	`68`	`}`
`64`	`69`
`65`	`70`	`private getFirstValueFromHeader(value?: string \| null) {`