RedwoodSDK allows server functions exported from "use server" files to be invoked with GET requests instead of their intended HTTP methods when using versions 1.0.0‑beta.50 to 1.0.5. In applications that rely on cookie authentication and use SameSite=Lax headers, browsers automatically send the authentication cookie on top‑level GET requests. As a result, a malicious site can trigger state‑changing functions by simply loading a URL, enabling attackers to perform unintended actions without authorization. This constitutes a classic CSRF vulnerability that can affect any server‑side logic exposed through the framework.

The vulnerability affects the RedwoodJS SDK, specifically server‑first React applications built with RedwoodSDK versions 1.0.0‑beta.50 through 1.0.5. All server functions defined in "use server" files, whether named handlers or exported bare functions, are impacted.

The CVSS score of 8.1 indicates high severity. Although EPSS is not available and the issue is not listed in the KEV catalog, the attack vector is clear: a cross‑site GET request can exploit the flaw if the victim is authenticated with a SameSite=Lax cookie. The lack of a mitigation in earlier releases and the potential for state‑changing operations make exploitation highly likely in environments that expose these functions to the public. Monitoring for unusual requests can help detect exploitation, but the vulnerability's impact remains significant until patched.