React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route action handlers in Framework Mode, or when using React Server Actions in the new unstable RSC modes. There is no impact if Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) is being used. This issue has been patched in @remix-run/server-runtime version 2.17.3 and react-router version 7.12.0.
Metrics
Affected Vendors & Products
No data.
No data.
No data.
No data.
References
History
Sat, 10 Jan 2026 03:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route action handlers in Framework Mode, or when using React Server Actions in the new unstable RSC modes. There is no impact if Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) is being used. This issue has been patched in @remix-run/server-runtime version 2.17.3 and react-router version 7.12.0. | |
| Title | React Router has CSRF issue in Action/Server Action Request Processing | |
| Weaknesses | CWE-346 CWE-352 |
|
| References |
| |
| Metrics |
cvssV3_1
|
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-01-10T02:42:44.603Z
Reserved: 2026-01-05T22:30:38.718Z
Link: CVE-2026-22030
Vulnrichment
No data.
NVD
Status : Received
Published: 2026-01-10T03:15:49.067
Modified: 2026-01-10T03:15:49.067
Link: CVE-2026-22030
Redhat
No data.
OpenCVE Enrichment
No data.