| शीर्षक | mickasmt next-saas-stripe-starter 1.0.0 Business Logic Errors |
|---|
| विवरण | Arbitrary Stripe Price ID Injection in Checkout
File: `actions/generate-user-stripe.ts` (lines 18–56)
Called from:`components/forms/billing-form-button.tsx`
CWE: CWE-20 (Improper Input Validation)
OWASP: A01:2021 – Broken Access Control
The vulnerability: The `generateUserStripe` action takes a `priceId` parameter directly from the client and passes it to `stripe.checkout.sessions.create` without validating it against the application's known price IDs:
typescript
export async function generateUserStripe(priceId: string): Promise<responseAction> {
//
const stripeSession = await stripe.checkout.sessions.create({
//
line_items: [{ price: priceId, quantity: 1 }], // client-controlled
metadata: { userId: user.id },
});
}
While `BillingFormButton binds the priceId from config (`offer.stripeIds[year ? "yearly" : "monthly"]`), an attacker can call the server action directly with any Stripe price ID from the same Stripe account.
Attack scenario:
1. Attacker intercepts the server action call.
2. Substitutes a different price ID — potentially one with a $0 price, a trial, or a different product entirely.
3. Completes checkout at a manipulated price point.
4. The webhook handler (`app/api/webhooks/stripe/route.ts`) blindly writes whatever subscription data Stripe returns to the user record.
Fix: Validate the price ID against a whitelist of known plan IDs:
typescript
import { pricingData } from "@/config/subscriptions";
const validPriceIds = pricingData
.flatMap(p => [p.stripeIds.monthly, p.stripeIds.yearly])
.filter(Boolean);
if (!validPriceIds.includes(priceId)) {
throw new Error("Invalid price ID");
} |
|---|
| उपयोगकर्ता | Ghufran Khan (UID 95493) |
|---|
| सबमिशन | 07/03/2026 05:59 PM (1 महीना पहले) |
|---|
| संयम | 21/03/2026 05:49 PM (14 days later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 352374 [mickasmt next-saas-stripe-starter 1.0.0 Checkout generate-user-stripe.ts generateUserStripe priceId] |
|---|
| अंक | 17 |
|---|