CVE-2026-53663
Received Received - Intake
CSRF Bypass in React Router v7 Framework Mode

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: GitHub, Inc.

Description
React Router is a router for React. From 7.12.0 until 7.15.1, certain CSRF checks in React Router v7 Framework Mode were insufficient and run on POST requests, but were bypassed on PUT/PATCH/DELETE requests. This is a low severity vulnerability because modern browser protections (CORS preflight, SameSite cookies) already block the cross-origin attack vectors that this missing CSRF check would otherwise gate. This vulnerability is fixed in 7.15.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-23
AI Q&A
2026-06-22
EPSS Evaluated
N/A
NVD
CVE-2026-53663
EUVD
EUVD-2026-38338
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
remix-run react-router From 7.12.0 (inc) to 7.15.1 (exc)
remix-run server-runtime From 2.17.3 (inc) to 2.17.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The CVE-2026-53663 vulnerability is a Cross-Site Request Forgery (CSRF) issue in React Router versions from 7.12.0 to before 7.15.1. In React Router v7 Framework Mode, CSRF checks were only applied to POST requests but were missing for PUT, PATCH, and DELETE requests. This means that an attacker could potentially perform unauthorized actions by exploiting the lack of CSRF protection on these HTTP methods.

However, the vulnerability is considered low severity because modern browser protections such as CORS preflight requests and SameSite cookies already block many cross-origin attack vectors that this missing CSRF check would otherwise allow.

Additionally, this vulnerability does not affect applications using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter / <RouterProvider>).

Impact Analysis

This vulnerability could allow an attacker to perform unauthorized actions on your application by exploiting missing CSRF protections on PUT, PATCH, and DELETE HTTP requests in affected React Router versions.

However, the impact is limited due to existing browser security features like CORS preflight and SameSite cookies that mitigate many cross-origin attacks.

The overall risk is low, but if your application relies on the affected React Router versions and uses Framework Mode, it is recommended to update to version 7.15.1 or later to fully address the issue.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade React Router to version 7.15.1 or later, where the CSRF checks have been fixed.

Additionally, ensure that your application is not relying solely on the insufficient CSRF checks for PUT, PATCH, and DELETE requests, and consider leveraging modern browser protections such as CORS preflight and SameSite cookies.

Note that applications using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter / <RouterProvider>) are not impacted by this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53663. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart