Fluid Attacks Database

Description

A cross site request forgery flaw has been discovered in the npm react-router package. React Router is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route action handlers in Framework Mode, or when using React Server Actions in the new unstable RSC modes.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
npm	@remix-run/server-runtime	>=0 <2.17.3	2.17.3
npm	react-router	>=7.0.0 <7.12.0	7.12.0
rpm rhel9	ipa	-	-

Aliases

1. CVE-2026-220302. NVD-2026-220303. OSV-2026-220304. GHSA-h5cw-625j-3rxh5. GCVE-2026-22030

References

1. https://github.com/remix-run/react-router/security/advisories/GHSA-h5cw-625j-3rxh

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.