Cross-site Request Forgery (CSRF) Affecting waku package, versions <1.0.0-beta.1


Severity

Recommended
0.0
high
0
10

CVSS assessment by Snyk's Security Team. Learn more

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Cross-site Request Forgery (CSRF) vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-JS-WAKU-17912686
  • published9 Jul 2026
  • disclosed8 Jul 2026
  • creditj0hndo

Introduced: 8 Jul 2026

NewCVE-2026-49455  (opens in a new tab)
CWE-352  (opens in a new tab)

How to fix?

Upgrade waku to version 1.0.0-beta.1 or higher.

Overview

waku is a ⛩️ The minimal React framework

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) through the request process. An attacker can execute unauthorized server actions by sending cross-origin POST requests with CORS-safelisted content types, causing the victim's browser to perform state-changing operations with their credentials attached. This is only exploitable if the application exposes server actions via 'use server' and the request is made to the RSC dispatch endpoint without an Origin validation step.

Workaround

This vulnerability can be mitigated by placing an Origin-validating reverse proxy or middleware in front of the application that rejects requests whose Origin header does not match the application's host on POST requests to the configured RSC base prefix.

CVSS Base Scores

version 4.0
version 3.1