RedwoodSDK Same-Site Cross-Site Request Forgery Vulnerability in Server Actions

A cross-site request forgery (CSRF) vulnerability has been identified in RedwoodSDK versions 1.0.0-beta.50 prior to 1.2.3. The issue arises in server actions, which enforce HTTP methods but lack origin validation. This allows a request from a different origin, treated as same-site by the browser, to invoke a server action with the victim's session cookie. The vulnerability is particularly concerning for applications deployed on custom domains, where an attacker could exploit the flaw by controlling a sibling subdomain or through other means. In local development, the vulnerability can be exploited by sending requests from 'localhost' on a different port to the application's development server.

Impact

Exploitation allows an attacker to induce an authenticated user's browser to invoke arbitrary server actions, potentially leading to unauthorized state changes or actions within the application. While the attacker cannot read the responses due to 'no-cors' mode, they can observe the effects of the actions invoked.

Remediation

Users can update to RedwoodSDK version 1.2.3 or later, where the vulnerability has been patched. The patched version enforces an origin match for non-GET action requests, rejecting those that do not match the request's origin unless the origin is listed in the 'allowedOrigins' configuration option.