CVE-2026-39371
RedwoodSDK has a CSRF vulnerability in server function dispatch via GET requests
描述
**Summary** Server functions exported from `"use server"` files could be invoked via GET requests, bypassing their intended HTTP method. In cookie-authenticated applications, this allowed cross-site GET navigations to trigger state-changing functions, because browsers send `SameSite=Lax` cookies on top-level GET requests. This affected all server functions -- both `serverAction()` handlers and bare exported functions in `"use server"` files. **Impact** An attacker could construct a URL containing a known action ID and JSON-encoded arguments. When a victim with an active session visited or was redirected to this URL, the function executed with the victim's credentials. This affected any server function that performs state-changing operations (writes, deletes, mutations) in applications using cookie-based authentication. **Remediation** Update to rwsdk `1.0.6`. No application code changes are required. The fix enforces the declared HTTP method at dispatch time. GET requests to server functions that require POST now return `405 Method Not Allowed`.
如何修補 CVE-2026-39371
要修補 CVE-2026-39371,請將受影響套件升級到下列已修補版本。
- —升級至 1.0.6 或更新版本
CVE-2026-39371 正在被利用嗎?
低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。
受影響套件(1)
- >= 1.0.0-beta.50, < 1.0.6
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.1 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H |