Severity by source
AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
AV:N for cross-origin web delivery; AC:H because ambient browser SameSite/CORS controls must be absent for exploitation; UI:R for required victim interaction; I:L as impact is limited integrity modification only.
Primary rating from Vendor (https://github.com/remix-run/react-router).
CVSS VectorVendor: https://github.com/remix-run/react-router
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
2Blast Radius
ecosystem impact- 11 npm packages depend on @remix-run/server-runtime (5 direct, 6 indirect)
- 50 npm packages depend on react-router (21 direct, 30 indirect)
Ecosystem-wide dependent count for version 2.17.3 and other introduced versions.
DescriptionCVE.org
Certain CSRF checks in React Router v7 [Framework Mode]() were insufficient and run on POST requests, but were bypassed on PUT/PATCH/DELETE requests. This is a low severity vulnerability because modern browser protections (CORS preflight, SameSite cookies) already block the cross-origin attack vectors that this missing CSRF check would otherwise gate.
> [!NOTE] > This does not impact your React Router application if you are using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).
AnalysisAI
Incomplete CSRF protection in React Router v7 Framework Mode leaves PUT, PATCH, and DELETE document requests unguarded while POST requests are correctly validated. Applications running react-router 7.12.0-7.15.0 or @remix-run/server-runtime 2.17.3-2.17.4 in Framework Mode are the exclusive attack surface - Declarative and Data Mode deployments are unaffected. Real-world exploitability is substantially constrained by modern browser defaults (SameSite=Lax cookies, CORS preflight), meaning successful exploitation requires a browser or cookie configuration that bypasses these ambient controls; no public exploit code exists and this vulnerability is not in CISA KEV.
Technical ContextAI
React Router v7 Framework Mode is the full-stack server-rendering mode that handles server actions and loaders - distinct from the client-only Declarative Mode (<BrowserRouter>) and the data-fetching-only Data Mode (createBrowserRouter). The CSRF guard (CWE-352) in the affected server runtime was implemented only for HTTP POST document requests; PUT, PATCH, and DELETE methods - which are equally capable of triggering server-side mutations - were not subjected to the same validation. The flaw resides in the @remix-run/server-runtime package (CPE: pkg:npm/@remix-run_server-runtime), which underpins the react-router Framework Mode server (CPE: pkg:npm/react-router). The root cause is an incomplete method-coverage gap in the CSRF middleware rather than a fundamentally broken token implementation.
RemediationAI
Upgrade react-router to version 7.15.1 or later and @remix-run/server-runtime to version 2.17.5 or later; both fix versions are confirmed in the official GitHub Security Advisory GHSA-84g9-w2xq-vcv6 at https://github.com/remix-run/react-router/security/advisories/GHSA-84g9-w2xq-vcv6. For teams that cannot patch immediately, ensure session cookies are set with SameSite=Lax or SameSite=Strict - this is the browser default in Chrome, Firefox, and Safari and effectively blocks the cross-site cookie delivery that CSRF exploits rely on. Additionally, verify that the application's CORS configuration does not allow credentialed requests from untrusted cross-origin sources; a permissive Access-Control-Allow-Origin combined with Access-Control-Allow-Credentials: true would undermine both the browser's ambient protections and the missing CSRF check. Neither of these compensating controls has adverse side effects in standard Framework Mode deployments.
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38338
GHSA-84g9-w2xq-vcv6