In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applicationsLearn about Cross-site Request Forgery (CSRF) vulnerabilities in an interactive lesson.
Start learningUpgrade waku to version 1.0.0-beta.1 or higher.
waku is a ⛩️ The minimal React framework
Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) through the request process. An attacker can execute unauthorized server actions by sending cross-origin POST requests with CORS-safelisted content types, causing the victim's browser to perform state-changing operations with their credentials attached. This is only exploitable if the application exposes server actions via 'use server' and the request is made to the RSC dispatch endpoint without an Origin validation step.
This vulnerability can be mitigated by placing an Origin-validating reverse proxy or middleware in front of the application that rejects requests whose Origin header does not match the application's host on POST requests to the configured RSC base prefix.