Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H
Lifecycle Timeline
5DescriptionGitHub Advisory
RedwoodSDK is a server-first React framework. From 1.0.0-beta.50 to 1.0.5, erver functions exported from "use server" files could be invoked via GET requests, bypassing their intended HTTP method. In cookie-authenticated applications, this allowed cross-site GET navigations to trigger state-changing functions, because browsers send SameSite=Lax cookies on top-level GET requests. This affected all server functions -- both serverAction() handlers and bare exported functions in "use server" files. This vulnerability is fixed in 1.0.6.
AnalysisAI
Cross-Site Request Forgery (CSRF) in RedwoodSDK 1.0.0-beta.50 through 1.0.5 allows unauthenticated remote attackers to execute state-changing server functions via crafted GET requests. The vulnerability stems from server functions exported from 'use server' files accepting GET requests despite being intended for POST-only invocation, enabling exploitation through cross-site navigation in cookie-authenticated applications where browsers automatically attach SameSite=Lax cookies to top-level GET requests. CVSS score 8.1 reflects high integrity and availability impact with low attack complexity requiring only user interaction. No public exploit identified at time of analysis, with EPSS data unavailable. Fixed in version 1.0.6.
Technical ContextAI
RedwoodSDK is a server-first React framework (cpe:2.3:a:redwoodjs:sdk) that implements React Server Components patterns with 'use server' directives for server-side function execution. The vulnerability (CWE-352: Cross-Site Request Forgery) occurs in the framework's HTTP method handling layer. Server functions decorated with 'use server' - including both serverAction() handlers and bare exported functions - failed to enforce POST-only invocation and incorrectly accepted GET requests. In browser security contexts, SameSite=Lax cookie policy (the default for most modern applications) sends authentication cookies on top-level cross-origin GET navigations but blocks them on cross-origin POST requests. This design prevents CSRF on POST endpoints but assumes GET requests are safe. The framework's failure to restrict HTTP methods created a gap where authenticated state-changing operations became vulnerable to cross-site GET-based attacks, violating the fundamental HTTP semantic that GET should be idempotent and safe.
RemediationAI
Upgrade RedwoodSDK to version 1.0.6 or later immediately, which implements proper HTTP method validation to restrict server functions to POST requests only. The vendor-released patch addresses the root cause by enforcing method-based routing controls on all 'use server' exported functions. Organizations unable to upgrade immediately should implement defense-in-depth measures: deploy anti-CSRF tokens for all state-changing operations, configure stricter SameSite=Strict cookie policies if application workflow permits (note this may break legitimate cross-site navigation scenarios), and review server function exports to ensure no sensitive operations are accessible. Validate that authentication middleware enforces token-based CSRF protection as secondary control. Consult the GitHub security advisory at https://github.com/redwoodjs/sdk/security/advisories/GHSA-x8rx-789c-2pxq for framework-specific upgrade guidance and compatibility considerations.
IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. Rated
The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js 0.10 before 0.10.44, 0.12 before 0.12.13, 4 before
The IBM Java Runtime Environment's Diagnostic Tooling Framework for Java (DTFJ) (IBM SDK, Java Technology Edition 6.0 ,
Same-site Cross-Site Request Forgery (CSRF) in RedwoodSDK server actions allows attackers controlling same-site origins
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19888
GHSA-x8rx-789c-2pxq