mickasmt next-saas-stripe-starter Business Logic Error Vulnerability in Checkout Handler

A business logic error vulnerability has been identified in mickasmt next-saas-stripe-starter version 1.0.0. The issue arises in the Checkout Handler component, specifically within the generateUserStripe function in actions/generate-user-stripe.ts. The vulnerability allows for arbitrary manipulation of the priceId parameter, which is sent to stripe.checkout.sessions.create without proper validation. This flaw could be exploited remotely, leading to unauthorized changes in subscription pricing.

Impact

Exploitation of this vulnerability could result in unauthorized access to subscription services at manipulated price points, potentially allowing users to gain services for free or at a reduced cost.

Reproduction

To reproduce this vulnerability, intercept a call to the generateUserStripe function. Replace the priceId parameter with an arbitrary Stripe price ID from the same Stripe account, such as one priced at $0, a trial offer, or a different product. Then, complete the checkout process. The webhook handler will automatically update the user record with the subscription data from Stripe, reflecting the manipulated price.

Remediation

Implement validation for the priceId parameter by checking it against a whitelist of known plan IDs before processing the checkout session. This can be done by referencing the application's subscription pricing data.