CVE-2026-22030
Unknown Unknown - Not Provided
CSRF Vulnerability in React Router Server-Side Route Handlers

Publication date: 2026-01-10

Last updated on: 2026-02-05

Assigner: GitHub, Inc.

Description
React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route action handlers in Framework Mode, or when using React Server Actions in the new unstable RSC modes. There is no impact if Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) is being used. This issue has been patched in @remix-run/server-runtime version 2.17.3 and react-router version 7.12.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-10
Last Modified
2026-02-05
Generated
2026-06-16
AI Q&A
2026-01-10
EPSS Evaluated
2026-06-15
NVD
CVE-2026-22030
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
remix-run server-runtime to 2.17.3 (exc)
remix-run server-runtime 2.17.3
react-router react-router From 7.0.0 (inc) to 7.11.0 (inc)
react-router react-router 7.12.0
shopify react-router From 7.0.0 (inc) to 7.11.0 (exc)
shopify remix-run/react to 2.17.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-346 The product does not properly verify that the source of data or communication is valid.
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-22030 is a Cross-Site Request Forgery (CSRF) vulnerability in React Router and Remix v2 that affects document POST requests to UI routes when using server-side route action handlers in Framework Mode or React Server Actions in unstable React Server Components (RSC) modes. The vulnerability occurs because the software fails to properly validate the origin of requests, allowing attackers to trick authenticated users into making unintended requests. It affects @remix-run/server-runtime versions prior to 2.17.3 and react-router versions 7.0.0 through 7.11.0. Applications using Declarative Mode or Data Mode are not affected. The issue has been patched in later versions. [1]

Impact Analysis

This vulnerability can allow an attacker to perform unauthorized actions on behalf of an authenticated user by exploiting CSRF on document POST requests. While it does not impact confidentiality or availability, it has a high integrity impact, meaning attackers can cause unauthorized modification of data. The attack can be performed remotely without any privileges but requires some user interaction. [1]

Mitigation Strategies

To mitigate this vulnerability, immediately upgrade @remix-run/server-runtime to version 2.17.3 or later, and react-router to version 7.12.0 or later. Avoid using Framework Mode server-side route action handlers or React Server Actions in unstable RSC modes until patched versions are applied. If your application uses Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter / <RouterProvider>), it is not affected. These steps will ensure proper origin validation and prevent CSRF attacks. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-22030. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart