| Título | mickasmt next-saas-stripe-starter 1.0.0 Business Logic Errors |
|---|
| Descripción | Arbitrary Stripe Price ID Injection in Checkout
File: `actions/generate-user-stripe.ts` (lines 18–56)
Called from:`components/forms/billing-form-button.tsx`
CWE: CWE-20 (Improper Input Validation)
OWASP: A01:2021 – Broken Access Control
The vulnerability: The `generateUserStripe` action takes a `priceId` parameter directly from the client and passes it to `stripe.checkout.sessions.create` without validating it against the application's known price IDs:
typescript
export async function generateUserStripe(priceId: string): Promise<responseAction> {
//
const stripeSession = await stripe.checkout.sessions.create({
//
line_items: [{ price: priceId, quantity: 1 }], // client-controlled
metadata: { userId: user.id },
});
}
While `BillingFormButton binds the priceId from config (`offer.stripeIds[year ? "yearly" : "monthly"]`), an attacker can call the server action directly with any Stripe price ID from the same Stripe account.
Attack scenario:
1. Attacker intercepts the server action call.
2. Substitutes a different price ID — potentially one with a $0 price, a trial, or a different product entirely.
3. Completes checkout at a manipulated price point.
4. The webhook handler (`app/api/webhooks/stripe/route.ts`) blindly writes whatever subscription data Stripe returns to the user record.
Fix: Validate the price ID against a whitelist of known plan IDs:
typescript
import { pricingData } from "@/config/subscriptions";
const validPriceIds = pricingData
.flatMap(p => [p.stripeIds.monthly, p.stripeIds.yearly])
.filter(Boolean);
if (!validPriceIds.includes(priceId)) {
throw new Error("Invalid price ID");
} |
|---|
| Usuario | Ghufran Khan (UID 95493) |
|---|
| Sumisión | 2026-03-07 17:59 (hace 3 meses) |
|---|
| Moderación | 2026-03-21 17:49 (14 days later) |
|---|
| Estado | Aceptado |
|---|
| Entrada de VulDB | 352374 [mickasmt next-saas-stripe-starter 1.0.0 Checkout generate-user-stripe.ts generateUserStripe priceId] |
|---|
| Puntos | 17 |
|---|