CVE-2026-22030
📋 TL;DR
This CVE describes a CSRF vulnerability in React Router and Remix that allows attackers to trick authenticated users into submitting malicious POST requests to UI routes. It affects applications using server-side route action handlers in Framework Mode or React Server Actions in unstable RSC modes. Only applications using Declarative Mode or Data Mode are unaffected.
💻 Affected Systems
- @remix-run/server-runtime
- react-router
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers could perform unauthorized actions on behalf of authenticated users, potentially modifying data, changing settings, or executing privileged operations depending on the application's functionality.
Likely Case
Attackers could trick users into submitting unintended form data or performing actions they didn't intend, leading to data manipulation or account compromise.
If Mitigated
With proper CSRF protections implemented, the vulnerability would be blocked by token validation or same-origin policies.
🎯 Exploit Status
Exploitation requires the attacker to trick an authenticated user into visiting a malicious page while logged into the vulnerable application.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: @remix-run/server-runtime 2.17.3+, react-router 7.12.0+
Vendor Advisory: https://github.com/remix-run/react-router/security/advisories/GHSA-h5cw-625j-3rxh
Restart Required: Yes
Instructions:
1. Update @remix-run/server-runtime to version 2.17.3 or higher. 2. Update react-router to version 7.12.0 or higher. 3. Restart your application server. 4. Test that POST requests to UI routes now properly validate CSRF tokens.
🔧 Temporary Workarounds
Implement CSRF Protection Manually
allAdd CSRF token validation to all POST requests in affected route handlers
Switch to Data Mode
allMigrate from Framework Mode to Data Mode (createBrowserRouter/<RouterProvider>) which is not vulnerable
🧯 If You Can't Patch
- Implement strict same-origin policies and CORS restrictions
- Add additional authentication checks for sensitive POST operations
🔍 How to Verify
Check if Vulnerable:
Check package.json for @remix-run/server-runtime version < 2.17.3 or react-router version between 7.0.0 and 7.11.0, and verify you're using Framework Mode or unstable RSC modes.Check Version:
npm list @remix-run/server-runtime react-routerVerify Fix Applied:
After updating, verify the installed versions meet the patched requirements and test that CSRF protection is working on POST requests.📡 Detection & Monitoring
Log Indicators:
- Multiple failed POST requests from same IP with missing CSRF tokens
- Unusual POST requests to UI routes without referrer headers
Network Indicators:
- POST requests to application routes without proper Origin/Referer headers
- Cross-origin POST requests to sensitive endpoints
SIEM Query:
source="web_server" AND (method="POST" AND (uri CONTAINS "/action" OR uri CONTAINS "/api") AND (referer IS NULL OR NOT referer CONTAINS "yourdomain.com"))