HIGHCVE-2026-39371CVSS 8.1

RedwoodSDK has a CSRF vulnerability in server function dispatch via GET requests

Q: What is CVE-2026-39371 — CSRF in Next.js rwsdk?

CVE-2026-39371 is a Cross-Site Request Forgery (CSRF) vulnerability in the Next.js `rwsdk` component. It allows attackers to trigger server functions via GET requests, potentially leading to unauthorized actions.

Q: Am I affected by CVE-2026-39371 in Next.js rwsdk?

You are affected if you are using Next.js `rwsdk` versions prior to 1.0.6 and your application relies on cookie-based authentication.

Q: How do I fix CVE-2026-39371 in Next.js rwsdk?

Upgrade to Next.js `rwsdk` version 1.0.6 or later. Implement stricter input validation and CSRF protection mechanisms as a temporary workaround.

Q: Is CVE-2026-39371 being actively exploited?

While no active exploitation has been publicly reported, the vulnerability's nature suggests it could be easily exploited once a proof-of-concept is released. Monitor security advisories.

Q: Where can I find the official Next.js advisory for CVE-2026-39371?

Refer to the Next.js security advisories and release notes on the official Next.js website for the latest information and updates regarding CVE-2026-39371.

翻译中…

平台

nodejs

组件

rwsdk

修复版本

1.0.1

1.0.6

AI Confidence: highNVDEPSS 0.0%已审阅: 2026年5月

在NVD查看

保存

正在翻译为您的语言…

CVE-2026-39371 describes a Cross-Site Request Forgery (CSRF) vulnerability within the rwsdk component of Next.js. This flaw allows attackers to invoke server functions using GET requests, circumventing the intended HTTP method restrictions. The vulnerability impacts all server functions, including serverAction() handlers and exported functions within "use server" files, potentially leading to unauthorized state changes. The vulnerability is fixed in version 1.0.6.

影响与攻击场景翻译中…

An attacker can exploit this vulnerability by crafting a malicious URL containing a known action ID and JSON-encoded arguments. When a victim with an active session visits this URL, the browser will automatically send the request, including the session cookie, triggering the server function. This allows the attacker to perform actions on behalf of the victim without their knowledge or consent. The impact can range from minor data modifications to complete account takeover, depending on the functionality exposed by the server functions. This vulnerability is particularly concerning in cookie-authenticated applications, as browsers automatically include SameSite=Lax cookies on top-level GET requests, making exploitation easier.

利用背景翻译中…

CVE-2026-39371 was published on 2026-04-08. Severity is rated HIGH (CVSS: 8.1). Public proof-of-concept (POC) code is currently unavailable, but the vulnerability's nature suggests it could be easily exploited once a POC is released. The vulnerability is not currently listed on KEV or EPSS, indicating a low to medium probability of active exploitation at this time. Monitor security advisories and vulnerability databases for updates.

威胁情报

漏洞利用状态

概念验证未知

CISA KEVNO

互联网暴露高

报告1 份威胁报告

EPSS

0.01% (0% 百分位)

CISA SSVC

利用情况none

可自动化no

技术影响total

CVSS 向量

这些指标意味着什么？

Attack Vector: 网络 — 可通过互联网远程利用，无需物理或本地访问。攻击面最大。
Attack Complexity: 低 — 无需特殊条件，可以稳定地利用漏洞。
Privileges Required: 无 — 无需认证，无需凭证即可利用。
User Interaction: 需要 — 受害者必须打开文件、点击链接或访问特制页面。
Scope: 未改变 — 影响仅限于脆弱组件本身。
Confidentiality: 无 — 无机密性影响。
Integrity: 高 — 攻击者可写入、修改或删除任何数据。
Availability: 高 — 完全崩溃或资源耗尽，完全拒绝服务。

受影响的软件

组件rwsdk

供应商osv

影响范围修复版本

>= 1.0.0-beta.50, < 1.0.6 – >= 1.0.0-beta.50, < 1.0.61.0.1

1.0.0-beta.501.0.6

弱点分类 (CWE)

CWE-352

时间线

已保留2026-04-06
发布日期2026-04-08
EPSS 更新日期2026-04-15

缓解措施和替代方案翻译中…

The primary mitigation for CVE-2026-39371 is to upgrade to Next.js rwsdk version 1.0.6 or later. If upgrading is not immediately feasible, consider implementing stricter input validation and output encoding on the server-side to prevent malicious data from being processed. Additionally, implement robust CSRF protection mechanisms, such as synchronizer tokens or double-submit cookies, to further harden your application. Review all "use server" functions and ensure they are not accessible via GET requests unless explicitly intended. After upgrading, confirm the fix by attempting to trigger a server function via a GET request and verifying that it is rejected.

修复方法翻译中…

Actualice RedwoodSDK a la versión 1.0.6 o superior para mitigar la vulnerabilidad de CSRF. Esta actualización corrige el problema al garantizar que las funciones del servidor solo puedan ser invocadas a través del método HTTP especificado.

CVE 安全通讯

漏洞分析和关键警报直接发送到您的邮箱。

常见问题翻译中…

What is CVE-2026-39371 — CSRF in Next.js rwsdk?

CVE-2026-39371 is a Cross-Site Request Forgery (CSRF) vulnerability in the Next.js rwsdk component. It allows attackers to trigger server functions via GET requests, potentially leading to unauthorized actions.

Am I affected by CVE-2026-39371 in Next.js rwsdk?

You are affected if you are using Next.js rwsdk versions prior to 1.0.6 and your application relies on cookie-based authentication.

How do I fix CVE-2026-39371 in Next.js rwsdk?

Upgrade to Next.js rwsdk version 1.0.6 or later. Implement stricter input validation and CSRF protection mechanisms as a temporary workaround.

Is CVE-2026-39371 being actively exploited?

While no active exploitation has been publicly reported, the vulnerability's nature suggests it could be easily exploited once a proof-of-concept is released. Monitor security advisories.

Where can I find the official Next.js advisory for CVE-2026-39371?

Refer to the Next.js security advisories and release notes on the official Next.js website for the latest information and updates regarding CVE-2026-39371.

你的项目受影响吗?

上传你的依赖文件，立即了解此CVE和其他CVE是否影响你。

免费扫描搜索 CVE