Cross-site Request Forgery (CSRF) Affecting @gitlawb/openclaude package, versions <0.5.1


Severity

Recommended
0.0
medium
0
10

CVSS assessment by Snyk's Security Team. Learn more

Threat Intelligence

Exploit Maturity
Proof of Concept
EPSS
0.22% (13th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Cross-site Request Forgery (CSRF) vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JS-GITLAWBOPENCLAUDE-16769903
  • published20 May 2026
  • disclosed12 May 2026
  • creditXanlar Agamalizade

Introduced: 12 May 2026

CVE-2026-42073  (opens in a new tab)
CWE-352  (opens in a new tab)

How to fix?

Upgrade @gitlawb/openclaude to version 0.5.1 or higher.

Overview

@gitlawb/openclaude is an OpenClaude opens coding-agent workflows to any LLM — OpenAI, Gemini, DeepSeek, Ollama, and 200+ models

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) through the callback process. An attacker can cause the local server to shut down and terminate active authentication sessions by sending a crafted request containing an error parameter, which bypasses internal state validation. This can be triggered remotely via a cross-origin request without authentication or knowledge of the expected state value.

PoC

import { createServer } from 'http';
import { parse } from 'url';

const expectedState = "secure_state_abc123";

const server = createServer((req, res) => {
    const parsedUrl = parse(req.url || '', true);
    const { pathname, query } = parsedUrl;
    const { state, error } = query;

    if (pathname === '/callback') {

        // Vulnerable: error param causes state check to be skipped entirely
        if (!error && state !== expectedState) {
            res.writeHead(400);
            res.end('State mismatch');
            console.log('[-] CSRF attempt blocked.');
            return;
        }

        if (error) {
            res.writeHead(200);
            res.end(`Error: ${error}`);
            console.log(`[!] Server shutting down. Triggered by: ${error}`);
            server.close();
            return;
        }
    }
});

server.listen(12345, '127.0.0.1', () => {
    console.log('Listening on http://127.0.0.1:12345');
});

CVSS Base Scores

version 4.0
version 3.1