LOW 3.1

GHSA-84g9-w2xq-vcv6

React Router: Potential CSRF via PUT/PATCH/DELETE document requests

Details

Certain CSRF checks in React Router v7 [Framework Mode]() were insufficient and run on POST requests, but were bypassed on PUT/PATCH/DELETE requests. This is a low severity vulnerability because modern browser protections (CORS preflight, SameSite cookies) already block the cross-origin attack vectors that this missing CSRF check would otherwise gate.

> [!NOTE] > This does not impact your React Router application if you are using [Declarative Mode](https://reactrouter.com/start/modes#framework) (`<BrowserRouter>`) or [Data Mode](https://reactrouter.com/start/modes#data) (`createBrowserRouter`/`<RouterProvider>`).

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / react-router

Introduced in: 7.12.0 Fixed in: 7.15.1

Fix npm install react-router@7.15.1

npm / @remix-run/server-runtime

Introduced in: 2.17.3 Fixed in: 2.17.5

Fix npm install @remix-run/server-runtime@2.17.5

Details

Are you affected?

Affected packages

References