AIKIDO-2026-10411
payload is vulnerable to Cross-Site Request Forgery (CSRF)
75
High Risk
This Affects:
payloadTL;DR
In the cookie JWT extraction path in extractJWT.ts, when the Origin header is absent the server accepts the auth cookie, so cross-site requests can authenticate as the user. The fix validates Sec-Fetch-Site when Origin is missing and rejects cookies for cross-site and none requests when CSRF is configured. Separately, forgot-password and verification email URLs were built from the request Host header without validation, allowing a forged Host to point users to an attacker-controlled origin; the fix uses getRequestOrigin so origin is taken from serverURL or validated against the CORS/CSRF allowlist. Additional hardening in this release includes stricter path and input validation (e.g. sanitizePathSegment, sanitizeUrl, and validation of query paths and upload URLs) to reduce injection and path traversal risk.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
payload is vulnerable to Cross-Site Request Forgery (CSRF) in versions 3.0.0 - 3.79.0.
How to fix this
Upgrade the payload library to the patch version.
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant