Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-h5cw-625j-3rxh: React Router has CSRF issue in Action/Server Action Request Processing

React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route action handlers in Framework Mode, or when using React Server Actions in the new unstable RSC modes.

[!NOTE] This does not impact applications that use Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).

ghsa
Open in Source
#csrf#nodejs#git
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2026-22030

React Router has CSRF issue in Action/Server Action Request Processing

Moderate severity GitHub Reviewed Published Jan 8, 2026 in remix-run/react-router • Updated Jan 8, 2026

Package

npm @remix-run/server-runtime (npm)

Affected versions

<= 2.17.2

React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route action handlers in Framework Mode, or when using React Server Actions in the new unstable RSC modes.

Note

This does not impact applications that use Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).

References

  • GHSA-h5cw-625j-3rxh

Published to the GitHub Advisory Database

Jan 8, 2026

ghsa: Latest News

GHSA-j4rc-96xj-gvqc: phpMyFAQ: Public API endpoints expose emails and invisible questions
ghsa