CSRF Vulnerability in GodObjectProfile Allows State Mutation via GET Requests on .NET 8 MVC App

A critical Cross-Site Request Forgery vulnerability has been identified in the GodObjectProfile component of a .NET 8 MVC application, allowing state-mutating operations to be triggered through GET requests. The flaw, documented in a GitHub issue, exposes user profile data to unauthorized modification without requiring authentication beyond clicking a maliciously crafted link. Security researchers warn that this behavior violates fundamental web application security principles, as GET requests should remain idempotent and read-only.

The vulnerability centers on the /Home/GodObjectProfile endpoint, where profile updates can be triggered via URL parameters without anti-forgery token validation. An attacker could embed a link that, when clicked by a logged-in user, silently modifies profile settings such as email addresses, display names, or other personal data. The absence of POST-only enforcement and CSRF token checks means the application's state-changing logic lacks the standard defensive layer found in most modern MVC frameworks. The issue was reported against a Demo1 MVC application running on .NET 8.

The flaw has been classified as a high-severity security risk aligned with OWASP Top 10 2017 category A5: Broken Access Control. Organizations using similar patterns in their .NET applications should audit endpoints handling user profile data to ensure all state mutations require POST requests with validated anti-forgery tokens. The security community is calling for patches that enforce proper HTTP method restrictions and implement token-based CSRF mitigation on all stateful operations within the application layer.