Executive Summary

CVE-2026-39371 is a Cross-Site Request Forgery (CSRF) vulnerability in the RedwoodJS SDK affecting versions from 1.0.0-beta.50 up to 1.0.5. The issue occurs because server functions exported from "use server" files could be invoked using GET requests, bypassing their intended HTTP methods.

In applications that use cookie-based authentication, browsers send SameSite=Lax cookies on top-level GET requests. This allows cross-site GET navigations to trigger state-changing server functions unintentionally.

An attacker can craft a URL containing a known action ID and JSON-encoded arguments. When a victim with an active session visits or is redirected to this URL, the server function executes with the victim’s credentials, enabling unauthorized execution of state-changing operations.

This affects all server functions, including serverAction() handlers and bare exported functions in "use server" files. The vulnerability was fixed in version 1.0.6 by enforcing the declared HTTP method, causing GET requests to server functions that require POST to return a 405 Method Not Allowed response.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker to perform unauthorized state-changing operations on your application by tricking a user into visiting a malicious URL.

• Unauthorized modification of data (Integrity Impact: High)
• Potential disruption of service (Availability Impact: High)

Because the attack requires the victim to visit or be redirected to a malicious URL, user interaction is necessary, but no special privileges are required by the attacker.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves server functions exported from "use server" files being invoked via GET requests instead of their intended HTTP methods. Detection involves monitoring for unexpected GET requests to server functions that should only accept POST or other methods.

You can detect potential exploitation by inspecting web server logs or network traffic for GET requests targeting serverAction() handlers or other server functions that normally require POST.

• Use tools like curl or wget to test server functions by sending GET requests and observing if they are executed.
• Example command to test a server function endpoint (replace <url> with the actual endpoint):
• curl -v -X GET "<url>/path-to-server-function"
• Check server or application logs for any state-changing operations triggered by GET requests.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade the RedwoodSDK package to version 1.0.6 or later, where the vulnerability is fixed by enforcing the declared HTTP method at dispatch time.

After upgrading, GET requests to server functions that require POST will return a 405 Method Not Allowed response, preventing unauthorized execution.

No changes to application code are required to remediate this vulnerability.

Additionally, consider monitoring for suspicious GET requests and educating users to avoid clicking untrusted links that could trigger state-changing operations.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows unauthorized execution of state-changing operations in cookie-authenticated applications due to a Cross-Site Request Forgery (CSRF) flaw. Such unauthorized modifications can lead to data integrity issues and potential disruption of service.

While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, the unauthorized modification of data and potential service disruption could negatively impact compliance with regulations that require data integrity, security, and protection against unauthorized access.

Organizations using affected versions of RedwoodSDK should consider this vulnerability a risk to maintaining compliance with such standards until patched, as it could lead to unauthorized data changes and service availability issues.

Useful 0 Not Useful 0