GHSA-84g9-w2xq-vcv6LowCVSS 3.1

React Router: Potential CSRF via PUT/PATCH/DELETE document requests

Published
June 15, 2026
Last Modified
June 15, 2026

🔗 CVE IDs covered (1)

📋 Description

Certain CSRF checks in React Router v7 Framework Mode were insufficient and run on POST requests, but were bypassed on PUT/PATCH/DELETE requests. This is a low severity vulnerability because modern browser protections (CORS preflight, SameSite cookies) already block the cross-origin attack vectors that this missing CSRF check would otherwise gate.

[!NOTE] This does not impact your React Router application if you are using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).

🎯 Affected products2

  • npm/react-router:>= 7.12.0, < 7.15.1
  • npm/@remix-run/server-runtime:>= 2.17.3, < 2.17.5

🔗 References (2)