DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-9R75-G2CR-3H76: GHSA-9r75-g2cr-3h76: Predictable Webhook Tokens in Vercel Workflow

#security #cve #cybersecurity #ghsa

GHSA-9r75-g2cr-3h76: Predictable Webhook Tokens in Vercel Workflow

Vulnerability ID: GHSA-9R75-G2CR-3H76
CVSS Score: 7.5
Published: 2026-03-06

A high-severity vulnerability exists in the Vercel Workflow DevKit (@workflow/core) affecting the createWebhook() function. The vulnerability allows developers to manually specify predictable tokens for public webhook endpoints, leading to an Insecure Direct Object Reference (IDOR) flaw. Unauthenticated attackers can guess these tokens (e.g., github_webhook:repo_name) and send malicious POST requests to resume paused workflows, inject data, or trigger unauthorized state transitions. The vendor has patched this by removing the ability to specify custom tokens in favor of mandatory cryptographically secure identifiers.

TL;DR

The Vercel Workflow SDK allowed developers to set predictable tokens for public webhooks. Attackers can guess these tokens to manipulate running workflows without authentication. Fixed in version 4.2.0 by enforcing random token generation.

⚠️ Exploit Status: POC

Technical Details

  • Attack Vector: Network (Public Internet)
  • CVSS: 7.5 (High)
  • CWE: CWE-639 (IDOR)
  • Impact: Workflow Manipulation / Data Injection
  • Affected Component: createWebhook() API
  • Remediation: Upgrade to @workflow/core@4.2.0+

Affected Systems

  • Vercel Workflow DevKit
  • @workflow/core npm package
  • @workflow/core: < 4.2.0-beta.64 (Fixed in: 4.2.0-beta.64)

Code Analysis

Commit: 30e24d4

fix: prevent providing token to createWebhook

diff --git a/packages/core/src/workflow/create-hook.ts b/packages/core/src/workflow/create-hook.ts
index ...
--- a/packages/core/src/workflow/create-hook.ts
+++ b/packages/core/src/workflow/create-hook.ts
@@ -10,0 +11,6 @@
+  if (token !== undefined) {
+    throw new Error(
+      '`createWebhook()` does not accept a `token` option. Webhook tokens are always randomly generated...'
+    );
+  }
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Enforce cryptographically secure random identifiers for all public webhook endpoints.
  • Implement secondary authentication (e.g., HMAC signatures) for webhook payloads.
  • Treat all webhook inputs as untrusted and validate schema strictly within the workflow.

Remediation Steps:

  1. Upgrade @workflow/core to version 4.2.0-beta.64 or later (stable 4.2.0).
  2. Search the codebase for calls to createWebhook({ token: ... }).
  3. Remove the token property from these calls.
  4. If deterministic identifiers are required for internal logic, switch to using createHook() combined with resumeHook() instead of the public createWebhook() API.

References

Read the full report for GHSA-9R75-G2CR-3H76 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)