FKIE_CVE-2026-22030

Vulnerability from fkie_nvd - Published: 2026-01-10 03:15 - Updated: 2026-02-05 20:51
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Summary
React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route action handlers in Framework Mode, or when using React Server Actions in the new unstable RSC modes. There is no impact if Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) is being used. This issue has been patched in @remix-run/server-runtime version 2.17.3 and react-router version 7.12.0.
References
security-advisories@github.comhttps://github.com/remix-run/react-router/security/advisories/GHSA-h5cw-625j-3rxhVendor Advisory
Impacted products
Vendor Product Version
shopify react-router *
shopify remix-run\/react *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:shopify:react-router:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "6928DE33-6137-4682-8610-1A6646F1B2A5",
              "versionEndIncluding": "7.11.0",
              "versionStartIncluding": "7.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:shopify:remix-run\\/react:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "CD7006C4-2033-446C-A472-DAD51EB06396",
              "versionEndExcluding": "2.17.3",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route action handlers in Framework Mode, or when using React Server Actions in the new unstable RSC modes. There is no impact if Declarative Mode (\u003cBrowserRouter\u003e) or Data Mode (createBrowserRouter/\u003cRouterProvider\u003e) is being used. This issue has been patched in @remix-run/server-runtime version 2.17.3 and react-router version 7.12.0."
    },
    {
      "lang": "es",
      "value": "React Router es un router para React. En la versi\u00f3n de @remix-run/server-runtime anterior a la 2.17.3. y react-router 7.0.0 hasta la 7.11.0, React Router (o Remix v2) es vulnerable a ataques CSRF en solicitudes POST de documentos a rutas de interfaz de usuario cuando se utilizan manejadores de acciones de ruta del lado del servidor en Modo Framework, o cuando se utilizan Acciones de Servidor de React en los nuevos modos RSC inestables. No hay impacto si se utiliza el Modo Declarativo () o el Modo de Datos (createBrowserRouter/). Este problema ha sido parcheado en la versi\u00f3n 2.17.3 de @remix-run/server-runtime y la versi\u00f3n 7.12.0 de react-router."
    }
  ],
  "id": "CVE-2026-22030",
  "lastModified": "2026-02-05T20:51:29.483",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-10T03:15:49.067",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/remix-run/react-router/security/advisories/GHSA-h5cw-625j-3rxh"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-346"
        },
        {
          "lang": "en",
          "value": "CWE-352"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-352"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.