GHSA-m2m6-cff5-3w7c: RedwoodSDK has Same-site CSRF through lack of origin validation in its server actions

April 24, 2026

Server actions in rwsdk apply HTTP method enforcement but no origin validation. A request originating from a different origin that the browser treats as same-site can invoke a server action with the victim’s session cookie attached.

References

github.com/advisories/GHSA-m2m6-cff5-3w7c
github.com/redwoodjs/sdk
github.com/redwoodjs/sdk/security/advisories/GHSA-m2m6-cff5-3w7c

Code Behaviors & Features

Detect and mitigate GHSA-m2m6-cff5-3w7c with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →