CVE-2026-22030
CSRF Vulnerability in React Router Server-Side Route Handlers
Publication date: 2026-01-10
Last updated on: 2026-02-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| remix-run | server-runtime | to 2.17.3 (exc) |
| remix-run | server-runtime | 2.17.3 |
| react-router | react-router | From 7.0.0 (inc) to 7.11.0 (inc) |
| react-router | react-router | 7.12.0 |
| shopify | react-router | From 7.0.0 (inc) to 7.11.0 (exc) |
| shopify | remix-run/react | to 2.17.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-346 | The product does not properly verify that the source of data or communication is valid. |
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-22030 is a Cross-Site Request Forgery (CSRF) vulnerability in React Router and Remix v2 that affects document POST requests to UI routes when using server-side route action handlers in Framework Mode or React Server Actions in unstable React Server Components (RSC) modes. The vulnerability occurs because the software fails to properly validate the origin of requests, allowing attackers to trick authenticated users into making unintended requests. It affects @remix-run/server-runtime versions prior to 2.17.3 and react-router versions 7.0.0 through 7.11.0. Applications using Declarative Mode or Data Mode are not affected. The issue has been patched in later versions. [1]
How can this vulnerability impact me? :
This vulnerability can allow an attacker to perform unauthorized actions on behalf of an authenticated user by exploiting CSRF on document POST requests. While it does not impact confidentiality or availability, it has a high integrity impact, meaning attackers can cause unauthorized modification of data. The attack can be performed remotely without any privileges but requires some user interaction. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately upgrade @remix-run/server-runtime to version 2.17.3 or later, and react-router to version 7.12.0 or later. Avoid using Framework Mode server-side route action handlers or React Server Actions in unstable RSC modes until patched versions are applied. If your application uses Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter / <RouterProvider>), it is not affected. These steps will ensure proper origin validation and prevent CSRF attacks. [1]