GHSA-75w3-gmqx-993q: Waku: Cross-Origin CSRF on RSC Server Action Dispatch
Summary
Waku's RSC request dispatcher invokes server actions without validating the request's Origin (or Sec-Fetch-Site) header. A cross-origin web attacker can therefore cause a victim browser to issue an authenticated POST to a registered server action endpoint using a CORS-safelisted content type (text/plain), which does not trigger a preflight. Any state-mutating server action that the application exposes via 'use server' can be invoked with the victim's cookies attached. A working proof-of-concept demonstrates the vulnerability against waku 1.0.0-beta.0 dev server: a cross-origin POST with Content-Type: text/plain invokes a registered 'use server' action and returns HTTP 200 with an RSC stream response. The same defect affects the progressive-enhancement (no-JavaScript) server action path: a cross-origin HTML form auto-submitting multipart/form-data reaches the dispatch through a second unguarded branch of the request handler, dynamically confirmed on 2026-05-17. Both branches were confirmed exploitable from opaque-origin contexts (sandboxed iframes, file:// navigation, browser extension pages), which send Origin: null — a value no Origin guard exists to reject. This is the same vulnerability class previously disclosed for Next.js Server Actions (GHSA-mq59-m269-xvcx); waku's implementation is broader in that no Origin check exists at all in the default request handler.
Root cause
In packages/waku/src/lib/utils/request.ts:
// line 29
if (pathname.startsWith(rscPathPrefix)) {
rscPath = decodeRscPath(pathname.slice(rscPathPrefix.length));
const actionId = decodeFuncId(rscPath);
if (actionId) {
const body = await getActionBody(req);
const args = await decodeReply(body, { temporaryReferences });
const action = await loadServerAction(actionId);
// ...action is invoked with attacker-supplied args
}
}
The sibling else if (req.method === 'POST') branch (line 61) does enforce a method check, but only for non-RSC paths. The RSC dispatch branch has no equivalent guard
Details
Original advisory: https://github.com/advisories/GHSA-75w3-gmqx-993q
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-49455 | coverage & exploitation status | NVD · CVE.org |
More from GitHub Security Advisories
- criticalGHSA-g936-7jqj-mwv8: TSDProxy: Internal proxy auth token forwarded to backend services enables management API …2026-07-10
- highGHSA-fpg8-7664-jc5q: melange: Incomplete package integrity verification allows data section substitution2026-07-10
- mediumGHSA-48rx-c7pg-q66r: Excon does not redact additional sensitive/risky headers when following redirects2026-07-10
- highGHSA-h4g2-xfmw-q2c9: Clauster: Non-loopback deployments can serve the dashboard unauthenticated when auth.enab…2026-07-10
- mediumGHSA-rqq5-2gf9-4w4q: Secure Headers: CSP directive injection via sandbox, plugin_types, and report_to when giv…2026-07-10