Summary
Redwood is vulnerable to account takeover via dbAuth "forgot-password"
User Accounts are Vulnerable to Takeover (Hijacking)
A reset token for any user can be obtained given knowledge of their username or email via the forgot-password API. With the leaked reset token, a malicious user could request to reset a user's password, changing their credentials and gaining access to their account.
How to Determine if Projects have been Attacked
To determine if a project has been attacked, we recommend checking logs for suspicious activity; namely, the volume of requests to the forgot-password API using emails that don't exist. Another indication is if users inform you that they can't access their accounts.
If you have question or concerns, reach out via the "For More Information" section below.
Patch Releases Available
The problem has been patched on the v3 and v2 release lines. Users should upgrade to v3.3.1+ or v2.2.5+ respectively.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
We recommend upgrading to the Patch Releases above. If upgrading is not possible, there are several workarounds:
Manually strip out resetToken and resetTokenExpiresAt in the forgotPassword.handler()
Users on all release lines can have their forgotPassword.handler() function strip out the sensitive fields manually before returning
handler: (user) => {
// your code to notify/email user of the link to reset their password...
const = { resetToken, resetTokenExpiresAt, ...rest }
return rest
}
Use yarn patch to manually apply the fix
Users on v3 and v2 can use [yarn patch] to apply the fix if they're using yarn v3. See the dbAuth "forgot-password" Account Takeover Vulnerability high gist for instructions.
Disable the forgot password flow entirely v3 only
Users on v3 can disable the forgot password flow entirely.
Impact
What kind of vulnerability is it? Who is impacted?
This is an API vulnerability in Redwood's [dbAuth], specifically the dbAuth forgot password feature:
- only projects with the dbAuth "forgot password" feature are affected
- this vulnerability was introduced in v0.38.0
GHSA-3QMC-2R76-4RQP has a CVSS score of 8.2 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (2.2.5, 3.3.1); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Already deployed Kodem?
See it in your environmentNew to Kodem? Get a demo →Remediation advice
@redwoodjs/api to 2.2.5 or later; @redwoodjs/api to 3.3.1 or later
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
Frequently Asked Questions
- What is GHSA-3QMC-2R76-4RQP? GHSA-3QMC-2R76-4RQP is a high-severity security vulnerability in @redwoodjs/api (npm), affecting versions >= 0.38.0, < 2.2.5. It is fixed in 2.2.5, 3.3.1.
- How severe is GHSA-3QMC-2R76-4RQP? GHSA-3QMC-2R76-4RQP has a CVSS score of 8.2 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of @redwoodjs/api are affected by GHSA-3QMC-2R76-4RQP? @redwoodjs/api (npm) versions >= 0.38.0, < 2.2.5 is affected.
- Is there a fix for GHSA-3QMC-2R76-4RQP? Yes. GHSA-3QMC-2R76-4RQP is fixed in 2.2.5, 3.3.1. Upgrade to this version or later.
- Is GHSA-3QMC-2R76-4RQP exploitable, and should I be worried? Whether GHSA-3QMC-2R76-4RQP is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether GHSA-3QMC-2R76-4RQP is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix GHSA-3QMC-2R76-4RQP?
- Upgrade
@redwoodjs/apito 2.2.5 or later - Upgrade
@redwoodjs/apito 3.3.1 or later
- Upgrade