deriveUrlFromHeaders does unsafe URL parsing and crashes

[tmcw]

Preliminary Checks

• I have reviewed the documentation: https://clerk.com/docs

• I have searched for existing issues: https://github.com/clerk/javascript/issues

• I have not already reached out to Clerk support via email or Discord (if you have, no need to open an issue here)

• This issue is not a question, general help request, or anything other than a bug report directly related to Clerk. Please ask questions in our Discord community: https://clerk.com/discord.

Reproduction

This is not replayable in a browser

Publishable key

pk_test_aHVtb3JvdXMtZGFzc2llLTE4LmNsZXJrLmFjY291bnRzLmRldiQ

Description

Steps to reproduce:

1. Use the React-Router integration with Clerk
2. Be a phishing attacker and send a request with a host header like https://z2cgvm.xfh"></script><script>alert(document.domain);</script>/

Expected behavior:

Clerk should not crash

Actual behavior:

Clerk does this:

javascript/packages/backend/src/tokens/clerkRequest.ts

Line 48 in 77e022f

private deriveUrlFromHeaders(req: Request) {

Which it calls when initializing ClerkRequest, and the URL constructor throws an error, and so any security scanner / phishing / bad actor can trigger an uncaught exception from Clerk.

Environment

System:
    OS: macOS 26.0.1
    CPU: (8) arm64 Apple M2
    Memory: 2.40 GB / 24.00 GB
    Shell: 5.9 - /bin/zsh
  Binaries:
    Node: 24.8.0 - /Users/tmcw/.local/share/mise/installs/node/24.8.0/bin/node
    npm: 11.6.0 - /Users/tmcw/.local/share/mise/installs/node/24.8.0/bin/npm
    pnpm: 10.22.0 - /Users/tmcw/.local/share/mise/installs/pnpm/10.22.0/pnpm
    Deno: 2.5.5 - /Users/tmcw/.local/share/mise/installs/deno/2.5.5/bin/deno
    Watchman: 2025.11.10.00 - /opt/homebrew/bin/watchman
  Browsers:
    Chrome: 142.0.7444.176
    Chrome Canary: 144.0.7535.0
    Firefox: 144.0
    Safari: 26.0.1
  npmPackages:
    @clerk/backend: ^1.30.0 => 1.34.0
    @clerk/express: ^1.4.9 => 1.4.9
    @clerk/fastify: 2.2.9 => 2.2.9
    @clerk/react-router: ^1.9.6 => 1.9.6
    @react-aria/interactions: ^3.25.5 => 3.25.5
    @react-email/components: ^1.0.1 => 1.0.1
    @react-router/dev: ^7.9.4 => 7.9.4
    @react-router/express: ^7.9.4 => 7.9.4
    @react-router/fs-routes: ^7.9.4 => 7.9.4
    @react-router/node: ^7.9.4 => 7.9.4
    @react-router/serve: ^7.9.4 => 7.9.4