6.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2026-22030

CVE-2026-22030: React Router has CSRF issue in Action/Server Action Request Processing

React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route action handlers in Framework Mode, or when using React Server Actions in the new unstable RSC modes. There is no impact if Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) is being used. This issue has been patched in @remix-run/server-runtime version 2.17.3 and react-router version 7.12.0.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2026-22030

CVE-2026-22030:

6.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
react-router	npm	>= 7.0.0, <= 7.11.0	7.12.0
@remix-run/server-runtime	npm	<= 2.17.2	2.17.3

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability is a Cross-Site Request Forgery (CSRF) issue in React Router's server-side action processing. This occurs when the server does not validate if a POST request originates from a trusted source. An attacker could craft a malicious form on a different website that, when submitted by a logged-in user, would execute an action on the vulnerable application with the user's privileges.

The patch addresses this by introducing a new function, throwIfPotentialCSRFAttack, which is added in packages/react-router/lib/actions.ts. This function compares the Origin header of the request with the application's own host (derived from the Host or X-Forwarded-Host header). If they don't match, and the origin is not on an explicit allowlist (allowedActionOrigins), the request is rejected, thus preventing the CSRF attack.

This check is strategically placed in the primary functions responsible for handling server-side POST requests that can trigger actions:

handleDocumentRequest in packages/react-router/lib/server-runtime/server.ts for general server-rendered document submissions.
generateRenderResponse in packages/react-router/lib/rsc/server.rsc.ts for submissions involving React Server Components.
singleFetchAction in packages/react-router/lib/server-runtime/single-fetch.ts for a specific action-handling mechanism.

These three functions are the entry points for the vulnerable operations, and their modification to include the throwIfPotentialCSRFAttack check is the direct mitigation for the vulnerability. Therefore, these are the functions that would be active on the stack when a CSRF exploit is attempted.

Vulnerable functions

handleDocumentRequest

packages/react-router/lib/server-runtime/server.ts

This function handles server-side document requests. Before the patch, it did not validate the origin of POST requests, making it vulnerable to CSRF attacks when processing form submissions or actions. The patch introduces an origin check by calling `throwIfPotentialCSRFAttack`.

generateRenderResponse

packages/react-router/lib/rsc/server.rsc.ts

This function generates responses for React Server Components and processes server actions. Prior to the patch, it lacked CSRF protection for POST requests, allowing an attacker to trigger actions on behalf of a user. The patch adds a call to `throwIfPotentialCSRFAttack`.

singleFetchAction

packages/react-router/lib/server-runtime/single-fetch.ts

This function handles action requests in a "single fetch" mode. It was vulnerable because it didn't verify the request's origin, allowing for CSRF attacks. The patch adds the necessary origin check by calling `throwIfPotentialCSRFAttack`.

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

6.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2026-22030: React Router has CSRF issue in Action/Server Action Request Processing

CVE-2026-22030:

6.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

6.5

6.5

Technical Details

Basic Information

Basic Information

CVE-2026-22030: React Router has CSRF issue in Action/Server Action Request Processing

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI