AIKIDO-2025-10461
frappe-js-sdk is vulnerable to Cross-Site Request Forgery (CSRF)
55
Medium Risk
This Affects:
frappe-js-sdkTL;DR
Affected versions of this package are vulnerable to Cross-Site Request Forgery due to reusing outdated CSRF tokens cached during initial page load rather than dynamically fetching the latest tokens from the window object for each request. This flaw allows attackers to capture a token before server-side rotation, then forge malicious requests during the grace period where both old and new tokens remain valid. By tricking an authenticated user into executing these requests, attackers could bypass CSRF protections to perform unauthorized actions like account takeover or data manipulation, leveraging the server's acceptance of stale tokens.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
frappe-js-sdk is vulnerable to Cross-Site Request Forgery (CSRF) in versions 1.2.2 - 1.9.0.
How to fix this
Upgrade the frappe-js-sdk library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant