保護DataHogo
Security Encyclopedia/React & Next.js
mediumCWE-352A01:2021

No CSRF on Server Actions

Server Actions called from malicious third-party sites without origin validation, letting attackers trigger state-changing requests on behalf of logged-in users.

How It Works

Next.js Server Actions use POST requests under the hood. If you don't verify the Origin header, any site can POST to your action URL and your server will execute it using the victim's session cookie. This is a classic CSRF scenario applied to the newer Server Actions pattern.

Vulnerable Code
// BAD: no origin check — any site can trigger this
export async function deleteAccount(formData: FormData) {
  'use server';
  const userId = formData.get('userId');
  await db.users.delete({ where: { id: userId } });
}
Secure Code
// GOOD: verify origin before executing sensitive actions
export async function deleteAccount(formData: FormData) {
  'use server';
  const headersList = headers();
  const origin = headersList.get('origin');
  if (origin !== process.env.NEXT_PUBLIC_APP_URL) {
    throw new Error('Forbidden');
  }
  const userId = formData.get('userId');
  await db.users.delete({ where: { id: userId } });
}

Real-World Example

Any authenticated action — account deletion, email change, password reset — can be triggered by embedding a hidden form on a malicious page. The victim just needs to visit that page while logged in.

How to Prevent It

  • Check the Origin or Referer header at the start of every sensitive Server Action
  • Use next-csrf or a custom CSRF token stored in a cookie for double-submit patterns
  • Keep SameSite=Strict or SameSite=Lax on session cookies to block cross-site requests by default
  • Require re-authentication (password prompt) for destructive actions like account deletion

Affected Technologies

Next.js

Data Hogo detects this vulnerability automatically.

Scan Your Repo Free

Related Vulnerabilities

dangerouslySetInnerHTML Without Sanitization

high

Using React's dangerouslySetInnerHTML with unsanitized user input allows attackers to inject malicious scripts that execute in other users' browsers.

CWE-79A03:2021

Authentication Tokens in localStorage

high

Storing JWT tokens, session tokens, or API keys in localStorage makes them accessible to any JavaScript running on the page, including XSS payloads.

CWE-922A07:2021

__NEXT_DATA__ Secrets Exposure

high

Next.js page props passed through getServerSideProps or getStaticProps leak sensitive data like API keys, database URLs, or internal configuration via the __NEXT_DATA__ script tag.

CWE-200A01:2021

Source Maps Exposed in Production

medium

JavaScript source map files (.map) are publicly accessible in production, revealing the complete original source code including comments, variable names, and internal logic.

CWE-540A05:2021