Skip to main content

React Router CVE-2026-53663

| EUVDEUVD-2026-38338 LOW
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-06-15 https://github.com/remix-run/react-router GHSA-84g9-w2xq-vcv6
3.1
CVSS 3.1 · Vendor: https://github.com/remix-run/react-router

Severity by source

Vendor (https://github.com/remix-run/react-router) PRIMARY
3.1 LOW
AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
vuln.today AI
3.1 LOW

AV:N for cross-origin web delivery; AC:H because ambient browser SameSite/CORS controls must be absent for exploitation; UI:R for required victim interaction; I:L as impact is limited integrity modification only.

3.1 AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/remix-run/react-router).

CVSS VectorVendor: https://github.com/remix-run/react-router

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 15, 2026 - 20:32 vuln.today
Analysis Generated
Jun 15, 2026 - 20:32 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 11 npm packages depend on @remix-run/server-runtime (5 direct, 6 indirect)
  • 50 npm packages depend on react-router (21 direct, 30 indirect)

Ecosystem-wide dependent count for version 2.17.3 and other introduced versions.

DescriptionCVE.org

Certain CSRF checks in React Router v7 [Framework Mode]() were insufficient and run on POST requests, but were bypassed on PUT/PATCH/DELETE requests. This is a low severity vulnerability because modern browser protections (CORS preflight, SameSite cookies) already block the cross-origin attack vectors that this missing CSRF check would otherwise gate.

> [!NOTE] > This does not impact your React Router application if you are using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).

AnalysisAI

Incomplete CSRF protection in React Router v7 Framework Mode leaves PUT, PATCH, and DELETE document requests unguarded while POST requests are correctly validated. Applications running react-router 7.12.0-7.15.0 or @remix-run/server-runtime 2.17.3-2.17.4 in Framework Mode are the exclusive attack surface - Declarative and Data Mode deployments are unaffected. Real-world exploitability is substantially constrained by modern browser defaults (SameSite=Lax cookies, CORS preflight), meaning successful exploitation requires a browser or cookie configuration that bypasses these ambient controls; no public exploit code exists and this vulnerability is not in CISA KEV.

Technical ContextAI

React Router v7 Framework Mode is the full-stack server-rendering mode that handles server actions and loaders - distinct from the client-only Declarative Mode (<BrowserRouter>) and the data-fetching-only Data Mode (createBrowserRouter). The CSRF guard (CWE-352) in the affected server runtime was implemented only for HTTP POST document requests; PUT, PATCH, and DELETE methods - which are equally capable of triggering server-side mutations - were not subjected to the same validation. The flaw resides in the @remix-run/server-runtime package (CPE: pkg:npm/@remix-run_server-runtime), which underpins the react-router Framework Mode server (CPE: pkg:npm/react-router). The root cause is an incomplete method-coverage gap in the CSRF middleware rather than a fundamentally broken token implementation.

RemediationAI

Upgrade react-router to version 7.15.1 or later and @remix-run/server-runtime to version 2.17.5 or later; both fix versions are confirmed in the official GitHub Security Advisory GHSA-84g9-w2xq-vcv6 at https://github.com/remix-run/react-router/security/advisories/GHSA-84g9-w2xq-vcv6. For teams that cannot patch immediately, ensure session cookies are set with SameSite=Lax or SameSite=Strict - this is the browser default in Chrome, Firefox, and Safari and effectively blocks the cross-site cookie delivery that CSRF exploits rely on. Additionally, verify that the application's CORS configuration does not allow credentialed requests from untrusted cross-origin sources; a permissive Access-Control-Allow-Origin combined with Access-Control-Allow-Credentials: true would undermine both the browser's ambient protections and the missing CSRF check. Neither of these compensating controls has adverse side effects in standard Framework Mode deployments.

Share

CVE-2026-53663 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy