GHSA-26v7-h57m-gh9m
New API is vulnerable to CSRF through user email binding
Details
## Summary
The email and WeChat account binding endpoints used GET requests for state-changing account operations. In deployments where session cookies could be sent on cross-site navigations, an attacker could trigger a logged-in user's browser to bind an attacker-controlled email address or OAuth identity.
Affected endpoints included:
- `GET /api/oauth/email/bind` - `GET /api/oauth/wechat/bind`
## Impact
A successful attack could change account binding state. For email binding, the attacker could bind an email address they control and then attempt follow-on account recovery flows. The default session cookie configuration uses `SameSite=Strict`, which mitigates common cross-site navigation attacks in modern browsers, so the issue is rated Medium.
## Affected versions
Versions before `v0.12.0-alpha.1` are affected.
## Patches
This issue is fixed in `v0.12.0-alpha.1`. The fix changes email and WeChat binding routes from GET to POST and reads parameters from a JSON request body instead of query parameters. The same change set also normalizes password reset responses to avoid disclosing whether an email is registered.
## Workarounds
If upgrading immediately is not possible, ensure session cookies are configured with strict SameSite behavior and block GET requests to `/api/oauth/email/bind` and `/api/oauth/wechat/bind` at the reverse proxy.
## Resources
- Fixed by commit `e099117c61391abdf888fb75e382a582e550bd0e`. - Relevant code paths: `router/api-router.go` and `controller/user.go`.
Are you affected?
Enter the version of the package you're using.
Affected packages
0 Fixed in: 0.12.0-alpha.1 go get github.com/QuantumNous/new-api@v0.12.0-alpha.1