Severity by source
AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
RedwoodSDK is a server-first React framework. From version 1.0.0-beta.50 to before version 1.2.3, server actions in rwsdk apply HTTP method enforcement but no origin validation. A request originating from a different origin that the browser treats as same-site can invoke a server action with the victim's session cookie attached. This issue has been patched in version 1.2.3.
AnalysisAI
Same-site Cross-Site Request Forgery (CSRF) in RedwoodSDK server actions allows attackers controlling same-site origins to invoke arbitrary server actions with victim session cookies in versions 1.0.0-beta.50 through 1.2.2. The vulnerability stems from missing origin validation despite HTTP method enforcement, enabling attackers to trigger state-changing operations through subdomain takeover, sibling-application XSS, or local development vectors. Vendor-released patch version 1.2.3 enforces Origin/Host matching validation. CVSS 5.3 reflects high integrity impact (UI:R) but constrained attack complexity (AC:H) and no information disclosure.
Technical ContextAI
RedwoodSDK is a server-first React framework that implements server actions as a mechanism for invoking server-side functions from client code. The vulnerability exists in the server action execution pipeline, which validates HTTP methods but lacks cross-origin request validation. The framework relies on SameSite=Lax session cookies for authentication, which the browser attaches to same-site requests regardless of origin. CWE-352 (Cross-Site Request Forgery) captures the root cause: the application fails to validate that requests originate from the legitimate application origin before performing sensitive state-changing operations. This is particularly critical because modern SameSite cookie policies (Lax/Strict) depend on browser Same-Site definition, which differs from Same-Origin: requests from app.example.com to attacker.example.com are treated as same-site, allowing cookie attachment despite origin mismatch.
RemediationAI
Upgrade RedwoodSDK to version 1.2.3 or later; no application code changes are required for applications that invoke server actions only from their own origin. The patch enforces Origin/Host header matching for non-GET action requests and rejects mismatched origins with HTTP 403. Applications that legitimately invoke server actions from different origins must configure the new allowedOrigins option on defineApp() to whitelist those origins explicitly. As a temporary mitigation prior to patching, restrict server action invocation to same-origin requests only via deployment configuration, implement explicit CSRF token validation independent of origin checks, or disable cookie-based authentication in favor of token-based methods (Bearer tokens) that are not automatically attached to cross-site requests. Each mitigation has trade-offs: deployment-level blocking may affect legitimate multi-origin architectures; manual CSRF tokens require code changes; token-based auth requires authentication refactoring. Reference: https://github.com/redwoodjs/sdk/security/advisories/GHSA-m2m6-cff5-3w7c.
IBM SDK, Java Technology Edition is vulnerable XML External Entity Injection (XXE) error when processing XML data. Rated
The CLI in npm before 2.15.1 and 3.x before 3.8.3, as used in Node.js 0.10 before 0.10.44, 0.12 before 0.12.13, 4 before
Cross-Site Request Forgery (CSRF) in RedwoodSDK 1.0.0-beta.50 through 1.0.5 allows unauthenticated remote attackers to e
The IBM Java Runtime Environment's Diagnostic Tooling Framework for Java (DTFJ) (IBM SDK, Java Technology Edition 6.0 ,
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28823