CVE-2026-53663
Awaiting Analysis Awaiting Analysis - Queue

CSRF Bypass in React Router v7 Framework Mode

Vulnerability report for CVE-2026-53663, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: GitHub, Inc.

Description

React Router is a router for React. From 7.12.0 until 7.15.1, certain CSRF checks in React Router v7 Framework Mode were insufficient and run on POST requests, but were bypassed on PUT/PATCH/DELETE requests. This is a low severity vulnerability because modern browser protections (CORS preflight, SameSite cookies) already block the cross-origin attack vectors that this missing CSRF check would otherwise gate. This vulnerability is fixed in 7.15.1.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-07-13
AI Q&A
2026-06-23
EPSS Evaluated
2026-07-11
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
remix-run react-router From 7.12.0 (inc) to 7.15.1 (exc)
remix-run server-runtime From 2.17.3 (inc) to 2.17.5 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability involves insufficient CSRF checks on certain HTTP methods in React Router, which could potentially allow unauthorized actions. However, it is classified as low severity due to existing modern browser protections such as CORS preflight and SameSite cookies that mitigate the risk.

There is no direct information provided about how this vulnerability impacts compliance with common standards and regulations like GDPR or HIPAA.

Detection Guidance

This vulnerability affects React Router versions from 7.12.0 up to but not including 7.15.1, specifically in Framework Mode where CSRF checks are insufficient on PUT, PATCH, and DELETE requests.

To detect if your system is vulnerable, first identify if your application uses an affected version of react-router or @remix-run/server-runtime within the vulnerable version ranges.

You can check the installed package versions using commands like:

  • npm list react-router
  • npm list @remix-run/server-runtime

If the versions fall within the vulnerable range (react-router >=7.12.0 and <7.15.1, or @remix-run/server-runtime >=2.17.3 and <2.17.5), your application may be affected.

To detect exploitation attempts on your network, monitor HTTP requests for PUT, PATCH, or DELETE methods that bypass CSRF protections. However, since this vulnerability is mitigated by modern browser protections like CORS preflight and SameSite cookies, direct detection commands are limited.

You may use network monitoring tools or web server logs to filter for suspicious PUT, PATCH, or DELETE requests without proper CSRF tokens.

  • For example, using grep on server logs: grep -E "PUT|PATCH|DELETE" access.log | grep -v csrf_token

Note that the vulnerability does not impact applications using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter / <RouterProvider>).

Executive Summary

The CVE-2026-53663 vulnerability is a Cross-Site Request Forgery (CSRF) issue in React Router versions from 7.12.0 to before 7.15.1. In React Router v7 Framework Mode, CSRF checks were only applied to POST requests but were missing for PUT, PATCH, and DELETE requests. This means that an attacker could potentially perform unauthorized actions by exploiting the lack of CSRF protection on these HTTP methods.

However, the vulnerability is considered low severity because modern browser protections such as CORS preflight requests and SameSite cookies already block many cross-origin attack vectors that this missing CSRF check would otherwise allow.

Additionally, this vulnerability does not affect applications using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter / <RouterProvider>).

Impact Analysis

This vulnerability could allow an attacker to perform unauthorized actions on your application by exploiting missing CSRF protections on PUT, PATCH, and DELETE HTTP requests in affected React Router versions.

However, the impact is limited due to existing browser security features like CORS preflight and SameSite cookies that mitigate many cross-origin attacks.

The overall risk is low, but if your application relies on the affected React Router versions and uses Framework Mode, it is recommended to update to version 7.15.1 or later to fully address the issue.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade React Router to version 7.15.1 or later, where the CSRF checks have been fixed.

Additionally, ensure that your application is not relying solely on the insufficient CSRF checks for PUT, PATCH, and DELETE requests, and consider leveraging modern browser protections such as CORS preflight and SameSite cookies.

Note that applications using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter / <RouterProvider>) are not impacted by this vulnerability.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53663. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart