Description
React Router is a router for React. From 7.12.0 until 7.15.1, certain CSRF checks in React Router v7 Framework Mode were insufficient and run on POST requests, but were bypassed on PUT/PATCH/DELETE requests. This is a low severity vulnerability because modern browser protections (CORS preflight, SameSite cookies) already block the cross-origin attack vectors that this missing CSRF check would otherwise gate. This vulnerability is fixed in 7.15.1.
Published: 2026-06-22
Score: 3.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a missing CSRF verification that only applies to POST requests; PUT, PATCH or DELETE requests bypass the check, potentially allowing state‑changing actions from a cross‑origin request. Modern browser mechanisms such as SameSite cookies and CORS preflight largely mitigate the risk, which is why the impact is rated as low severity.

Affected Systems

Affected are the @remix‑run:server-runtime and remix‑run:react‑router packages from version 7.12.0 up to and including 7.15.1 when operating in Framework Mode. Packages newer than 7.15.1 are not affected.

Risk and Exploitability

The CVSS score is 3.1, reflecting low overall risk. The EPSS score is unavailable. The vulnerability is not listed in the CISA KEV catalog. Because the CSRF check is only enforced on POST, the inferred attack vector is attempting to send non‑POST requests from a malicious origin, but without browser protections it is unlikely. Modern SameSite cookie policies and CORS preflight headers generally block such attempts.

Generated by OpenCVE AI on June 22, 2026 at 20:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade @remix‑run:server-runtime and remix‑run:react‑router to version 7.15.1 or later
  • If immediate update is impossible, add server‑side CSRF validation on all state‑changing endpoints including PUT, PATCH and DELETE
  • Ensure session cookies use SameSite=Lax or Strict and that CORS policies are restrictive

Generated by OpenCVE AI on June 22, 2026 at 20:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-84g9-w2xq-vcv6 React Router: Potential CSRF via PUT/PATCH/DELETE document requests
History

Wed, 24 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Low


Mon, 22 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
First Time appeared Remix-run
Remix-run react-router
Remix-run server-runtime
Vendors & Products Remix-run
Remix-run react-router
Remix-run server-runtime

Mon, 22 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Description React Router is a router for React. From 7.12.0 until 7.15.1, certain CSRF checks in React Router v7 Framework Mode were insufficient and run on POST requests, but were bypassed on PUT/PATCH/DELETE requests. This is a low severity vulnerability because modern browser protections (CORS preflight, SameSite cookies) already block the cross-origin attack vectors that this missing CSRF check would otherwise gate. This vulnerability is fixed in 7.15.1.
Title React Router: `handleDocumentRequest` CSRF check covers `POST` only; PUT/PATCH/DELETE bypass
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N'}


Subscriptions

Remix-run React-router Server-runtime
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T19:52:50.287Z

Reserved: 2026-06-09T20:50:36.877Z

Link: CVE-2026-53663

cve-icon Vulnrichment

Updated: 2026-06-22T19:52:43.823Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Low

Publid Date: 2026-06-22T17:39:29Z

Links: CVE-2026-53663 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T21:15:04Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)