PT-2026-2138 · Unknown · @Remix-Run/Server-Runtime+1
Oceandust
·
Published
2026-01-08
·
Updated
2026-01-30
·
CVE-2026-22030
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
react-router versions 7.0.0 through 7.11.0
@remix-run/server-runtime versions prior to 2.17.3
Description
React Router, used as a router for React applications, is susceptible to Cross-Site Request Forgery (CSRF) attacks. This affects document POST requests to UI routes when server-side route action handlers are used in Framework Mode, or when utilizing React Server Actions in unstable Rendering Server Components (RSC) modes. The issue does not impact applications using Declarative Mode () or Data Mode (createBrowserRouter/). The issue occurs when processing requests to UI routes with server-side action handlers.
Recommendations
Update @remix-run/server-runtime to version 2.17.3 or later.
Update react-router to version 7.12.0 or later.
Exploit
Fix
Origin Validation Error
CSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
@Remix-Run/Server-Runtime
React Router