8.2

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-3qmc-2r76-4rqp

EPSS Score

CWE

Published

11/10/2022

Updated

1/7/2023

KEV Status

Technology

JavaScript

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

GHSA-3qmc-2r76-4rqp

GHSA-3qmc-2r76-4rqp: Redwood is vulnerable to account takeover via dbAuth "forgot-password"

Impact

What kind of vulnerability is it? Who is impacted?

This is an API vulnerability in Redwood's [dbAuth], specifically the dbAuth forgot password feature:

only projects with the dbAuth "forgot password" feature are affected
this vulnerability was introduced in v0.38.0

User Accounts are Vulnerable to Takeover (Hijacking)

A reset token for any user can be obtained given knowledge of their username or email via the forgot-password API. With the leaked reset token, a malicious user could request to reset a user's password, changing their credentials and gaining access to their account.

How to Determine if Projects have been Attacked

To determine if a project has been attacked, we recommend checking logs for suspicious activity; namely, the volume of requests to the forgot-password API using emails that don't exist. Another indication is if users inform you that they can't access their accounts.

If you have question or concerns, reach out via the "For More Information" section below.

Patch Releases Available

The problem has been patched on the v3 and v2 release lines. Users should upgrade to v3.3.1+ or v2.2.5+ respectively.

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

We recommend upgrading to the Patch Releases above. If upgrading is not possible, there are several workarounds:

Manually strip out `resetToken` and `resetTokenExpiresAt` in the `forgotPassword.handler()`

Users on all release lines can have their forgotPassword.handler() function strip out the sensitive fields manually before returning

handler: (user) => {
  // your code to notify/email user of the link to reset their password...

  const = { resetToken, resetTokenExpiresAt, ...rest }

  return rest
}

Use `yarn patch` to manually apply the fix

Users on v3 and v2 can use [yarn patch] to apply the fix if they're using yarn v3. See the dbAuth "forgot-password" Account Takeover Vulnerability high gist for instructions.

Disable the forgot password flow entirely v3 only

Users on v3 can disable the forgot password flow entirely.

(GitHub Advisory)

8.2

CVSS Score

3.1

Basic Information

CVE ID

GHSA ID

GHSA-3qmc-2r76-4rqp

EPSS Score

CWE

Published

11/10/2022

Updated

1/7/2023

KEV Status

Technology

JavaScript

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:L

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
@redwoodjs/api	npm	>= 0.38.0, < 2.2.5	2.2.5
@redwoodjs/api	npm	>= 3.0.0, < 3.3.1	3.3.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the forgotPassword handler returning full user records including sensitive reset credentials. The provided workaround explicitly shows modifying this handler to strip these fields, and the GitHub PR #6778 confirms the framework was patched by removing these fields from responses. Though exact framework file paths aren't shown in sources, the handler function's role in leaking credentials is clearly documented in advisories and fixes.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

# Imp**t _W**t kin* o* vuln*r**ility is it? W*o is imp**t**?_ T*is is *n *PI vuln*r**ility in R**woo*'s [***ut*], sp**i*i**lly t** ***ut* *or*ot p*sswor* ***tur*: - only proj**ts wit* t** ***ut* "*or*ot p*sswor*" ***tur* *r* *****t** - t*is vuln*r*

Reasoning

T** vuln*r**ility st*ms *rom t** `*or*otP*sswor*` **n*l*r r*turnin* *ull us*r r**or*s in*lu*in* s*nsitiv* r*s*t *r***nti*ls. T** provi*** work*roun* *xpli*itly s*ows mo*i*yin* t*is **n*l*r to strip t**s* *i*l*s, *n* t** *it*u* PR #**** *on*irms t** *

8.2

Basic Information

Concerned about an active attack path?

GHSA-3qmc-2r76-4rqp: Redwood is vulnerable to account takeover via dbAuth "forgot-password"

Impact

User Accounts are Vulnerable to Takeover (Hijacking)

How to Determine if Projects have been Attacked

Patch Releases Available

Workarounds

Manually strip out resetToken and resetTokenExpiresAt in the forgotPassword.handler()

Use yarn patch to manually apply the fix

Disable the forgot password flow entirely v3 only

8.2

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Manually strip out `resetToken` and `resetTokenExpiresAt` in the `forgotPassword.handler()`

Use `yarn patch` to manually apply the fix

Vulnerability Intelligence
Miggo AI