Primary

Context

React Router and Remix CSRF Vulnerability in POST Document Requests

Vulnerability

A Cross-Site Request Forgery (CSRF) vulnerability has been identified in React Router (versions 7.0.0 to 7.11.0) and in @remix-run/server-runtime (versions prior to 2.17.3). This vulnerability occurs in React Router when server-side route action handlers are used in Framework Mode, or when React Server Actions are employed in the unstable RSC modes. The issue arises on document POST requests to UI routes, creating a risk of CSRF attacks. However, applications using Declarative Mode with <BrowserRouter> or Data Mode with createBrowserRouter/<RouterProvider> are not affected.

Impact

Exploitation of this vulnerability allows for CSRF attacks on document POST requests to UI routes, potentially leading to unauthorized actions being performed on behalf of the user.

Remediation

Users can upgrade to @remix-run/server-runtime version 2.17.3 or react-router version 7.12.0 to address this vulnerability.

Added: Jan 10, 2026, 3:21 AM

Updated: Jan 10, 2026, 3:21 AM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

6.4

remediation

7.7

relevance

2.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

6.4

remediation

7.7

relevance

2.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

React Router and Remix CSRF Vulnerability in POST Document Requests

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating