CVE-2026-39371

Published: Apr 7, 2026Modified: May 5, 2026

8.1

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:H

Exploitability: 2.8 / Impact: 5.2

Source: security-advisories@github.com (Secondary)

Description

RedwoodSDK is a server-first React framework. From 1.0.0-beta.50 to 1.0.5, erver functions exported from "use server" files could be invoked via GET requests, bypassing their intended HTTP method. In cookie-authenticated applications, this allowed cross-site GET navigations to trigger state-changing functions, because browsers send SameSite=Lax cookies on top-level GET requests. This affected all server functions -- both serverAction() handlers and bare exported functions in "use server" files. This vulnerability is fixed in 1.0.6.

Affected (11)

Products: Redwoodjs: Redwoodsdk

Redwoodjs

1 product

Redwoodsdk

Configuration A

11 vulnerable

Vulnerable Software	Affected Versions
Redwoodjs Redwoodsdk	From 1.0.1 to 1.0.6
Redwoodjs Redwoodsdk	Version 1.0.0 beta50
Redwoodjs Redwoodsdk	Version 1.0.0 beta51
Redwoodjs Redwoodsdk	Version 1.0.0 beta52
Redwoodjs Redwoodsdk	Version 1.0.0 beta53
Redwoodjs Redwoodsdk	Version 1.0.0 beta53_test20260205213024
Redwoodjs Redwoodsdk	Version 1.0.0 beta54
Redwoodjs Redwoodsdk	Version 1.0.0 beta55
Redwoodjs Redwoodsdk	Version 1.0.0 beta56
Redwoodjs Redwoodsdk	Version 1.0.0 beta57
Redwoodjs Redwoodsdk	Version 1.0.0 beta58

Related CWEs

CWE-352

Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

References (1)

https://github.com/redwoodjs/sdk/security/advisories/GHSA-x8rx-789c-2pxq

Source: security-advisories@github.com

Vendor Advisory

Timeline

No history available yet.