GHSA-3qmc-2r76-4rqp
HIGHRedwood is vulnerable to account takeover via dbAuth "forgot-password"
Blast Radius
Weekly download volume for affected packages — a proxy for how broadly this vulnerability is deployed.
@redwoodjs/apinpmDescription
Impact
What kind of vulnerability is it? Who is impacted?
This is an API vulnerability in Redwood's [dbAuth], specifically the dbAuth forgot password feature:
- only projects with the dbAuth "forgot password" feature are affected
- this vulnerability was introduced in v0.38.0
User Accounts are Vulnerable to Takeover (Hijacking)
A reset token for any user can be obtained given knowledge of their username or email via the forgot-password API. With the leaked reset token, a malicious user could request to reset a user's password, changing their credentials and gaining access to their account.
How to Determine if Projects have been Attacked
To determine if a project has been attacked, we recommend checking logs for suspicious activity; namely, the volume of requests to the forgot-password API using emails that don't exist. Another indication is if users inform you that they can't access their accounts.
If you have question or concerns, reach out via the "For More Information" section below.
Patch Releases Available
The problem has been patched on the v3 and v2 release lines. Users should upgrade to v3.3.1+ or v2.2.5+ respectively.
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
We recommend upgrading to the Patch Releases above. If upgrading is not possible, there are several workarounds:
Manually strip out resetToken and resetTokenExpiresAt in the forgotPassword.handler()
Users on all release lines can have their forgotPassword.handler() function strip out the sensitive fields manually before returning
handler: (user) => {
// your code to notify/email user of the link to reset their password...
const = { resetToken, resetTokenExpiresAt, ...rest }
return rest
}
Use yarn patch to manually apply the fix
Users on v3 and v2 can use [yarn patch] to apply the fix if they're using yarn v3. See the dbAuth "forgot-password" Account Takeover Vulnerability high gist for instructions.
Disable the forgot password flow entirely v3 only
Users on v3 can disable the forgot password flow entirely.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| 📦npm | @redwoodjs/api | ≥ 0.38.0&&< 2.2.5 | 2.2.5 |
| 📦npm | @redwoodjs/api | ≥ 3.0.0&&< 3.3.1 | 3.3.1 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for @redwoodjs/api. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update @redwoodjs/api to 2.2.5 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-3qmc-2r76-4rqp is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-3qmc-2r76-4rqp is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-3qmc-2r76-4rqp. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-3qmc-2r76-4rqp in your dependencies?
O3 detects GHSA-3qmc-2r76-4rqp across npm dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.