GHSA-84g9-w2xq-vcv6LowCVSS 3.1
React Router: Potential CSRF via PUT/PATCH/DELETE document requests
🔗 CVE IDs covered (1)
📋 Description
Certain CSRF checks in React Router v7 Framework Mode were insufficient and run on POST requests, but were bypassed on PUT/PATCH/DELETE requests. This is a low severity vulnerability because modern browser protections (CORS preflight, SameSite cookies) already block the cross-origin attack vectors that this missing CSRF check would otherwise gate.
[!NOTE] This does not impact your React Router application if you are using Declarative Mode (
<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).
🎯 Affected products2
- npm/react-router:>= 7.12.0, < 7.15.1
- npm/@remix-run/server-runtime:>= 2.17.3, < 2.17.5