React Router has CSRF issue in Action/Server Action Request Processing

React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route action handlers in Framework Mode, or when using React Server Actions in the new unstable RSC modes.

Note

This does not impact applications that use Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).

References

GHSA-h5cw-625j-3rxh

brophdawg11 published to remix-run/react-router Jan 8, 2026

Published to the GitHub Advisory Database Jan 8, 2026

Reviewed Jan 8, 2026

Last updated Jan 8, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Package

Affected versions

Patched versions

Description

References

Severity

CVSS overall score

CVSS v3 base metrics

CVSS v3 base metrics

EPSS score

Weaknesses

Origin Validation Error

Cross-Site Request Forgery (CSRF)

CVE ID

GHSA ID

Source code

Credits

Uh oh!