RedwoodSDK Cross-Site Request Forgery Vulnerability in Server Functions via GET Requests
Vulnerability
A cross-site request forgery vulnerability has been identified in RedwoodSDK versions 1.0.0-beta.50 prior to 1.0.5. This issue allows server functions exported from 'use server' files to be invoked via GET requests, bypassing their intended HTTP method. In applications using cookie-based authentication, this could enable cross-site GET navigations to trigger state-changing functions, as browsers send SameSite=Lax cookies with top-level GET requests. The vulnerability affects all server functions, including both serverAction() handlers and bare exported functions in 'use server' files.
Impact
Exploitation of this vulnerability allows an attacker to execute state-changing server functions with the credentials of an authenticated user. This could lead to unauthorized modifications, deletions, or mutations of data in applications that rely on cookie-based authentication.
Remediation
Users are advised to update to RedwoodSDK version 1.0.6, which fixes the vulnerability by enforcing the correct HTTP method for server function requests. No changes to application code are necessary.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.