Mthx

**Name of the Vulnerable Software and Affected Versions** RedwoodSDK versions 1.0.0-beta.50 through 1.2.2 **Description** Server actions in `rwsdk` apply HTTP method enforcement but lack origin validation. This allows a request from a different origin, which the browser treats as same-site, to invoke a server action using the victim's session cookie. This affects applications using `serverAction()` or functions invoked via the RSC action protocol combined with cookie-based authentication. The impact is limited to the side effects of action invocation, such as writes and state changes, as the attacker cannot read the responses. Exposure occurs if an attacker controls a sibling subdomain on custom domains or a separate process on `localhost` during local development. Requests from unrelated origins are not affected due to `SameSite=Lax` cookie defaults. **Recommendations** Update to version 1.2.3. For applications that legitimately invoke server actions from another origin, add those origins to the `allowedOrigins` option on `defineApp`.