Impact
The vulnerability is a missing CSRF verification that only applies to POST requests; PUT, PATCH or DELETE requests bypass the check, potentially allowing state‑changing actions from a cross‑origin request. Modern browser mechanisms such as SameSite cookies and CORS preflight largely mitigate the risk, which is why the impact is rated as low severity.
Affected Systems
Affected are the @remix‑run:server-runtime and remix‑run:react‑router packages from version 7.12.0 up to and including 7.15.1 when operating in Framework Mode. Packages newer than 7.15.1 are not affected.
Risk and Exploitability
The CVSS score is 3.1, reflecting low overall risk. The EPSS score is unavailable. The vulnerability is not listed in the CISA KEV catalog. Because the CSRF check is only enforced on POST, the inferred attack vector is attempting to send non‑POST requests from a malicious origin, but without browser protections it is unlikely. Modern SameSite cookie policies and CORS preflight headers generally block such attempts.
OpenCVE Enrichment
Github GHSA