GHSA-h5cw-625j-3rxh

Опубликовано: 08 янв. 2026

Источник: github

Github: Прошло ревью

CVSS3: 6.5

Описание

React Router has CSRF issue in Action/Server Action Request Processing

React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route action handlers in Framework Mode, or when using React Server Actions in the new unstable RSC modes.

[!NOTE] This does not impact applications that use Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).

Ссылки

Пакеты

Наименование

react-router

npm

Затронутые версииВерсия исправления

>= 7.0.0, <= 7.11.0

7.12.0

Наименование

@remix-run/server-runtime

npm

Затронутые версииВерсия исправления

<= 2.17.2

2.17.3

EPSS

Процентиль: 3%

0.00016

Низкий

6.5 Medium

CVSS3

CVE ID

CVE-2026-22030

Дефекты

CWE-346

CWE-352

Связанные уязвимости

CVE-2026-22030

CVSS3: 6.5

nvd

29 дней назад

React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route action handlers in Framework Mode, or when using React Server Actions in the new unstable RSC modes. There is no impact if Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) is being used. This issue has been patched in @remix-run/server-runtime version 2.17.3 and react-router version 7.12.0.

EPSS

Процентиль: 3%

0.00016

Низкий

6.5 Medium

CVSS3

CVE ID

CVE-2026-22030

Дефекты

CWE-346

CWE-352