AIKIDO-2026-10320
bymayo/porter is vulnerable to Cross-Site Request Forgery (CSRF)
43
Medium Risk
This Affects:
bymayo/porterTL;DR
Affected versions of this package expose the Deactivate Account action to Cross-Site Request Forgery (CSRF) because the operation was triggered via a simple GET link without CSRF protection. An attacker could craft a malicious webpage that silently issues a request to the porter/deactivate-account endpoint while a victim is authenticated, causing the victim’s account to be deactivated without their consent. By embedding the request in an image, link, or auto-submitting form, the attacker could trick users into visiting the page and unknowingly triggering the action. The patch mitigates this by requiring a POST request with a valid CSRF token.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
bymayo/porter is vulnerable to Cross-Site Request Forgery (CSRF) in versions 1.0.0 - 5.0.4.
How to fix this
Upgrade the bymayo/porter library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant