MEDIUM 6.5

GHSA-h5cw-625j-3rxh

React Router has CSRF issue in Action/Server Action Request Processing

Details

React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route `action` handlers in [Framework Mode](https://reactrouter.com/start/modes#framework), or when using React Server Actions in the new unstable RSC modes.

> [!NOTE] > This does not impact applications that use [Declarative Mode](https://reactrouter.com/start/modes#declarative) (`<BrowserRouter>`) or [Data Mode](https://reactrouter.com/start/modes#data) (`createBrowserRouter`/`<RouterProvider>`).

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / react-router

Introduced in: 7.0.0 Fixed in: 7.12.0

Fix npm install react-router@7.12.0

npm / @remix-run/server-runtime

Introduced in: 0 Fixed in: 2.17.3

Fix npm install @remix-run/server-runtime@2.17.3

References

https://github.com/remix-run/react-router/security/advisories/GHSA-h5cw-625j-3rxh [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2026-22030 [ADVISORY]
https://github.com/remix-run/react-router [PACKAGE]