React Router has CSRF issue in Action/Server Action Request Processing

Severity:: Medium

Description

React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route action handlers in Framework Mode, or when using React Server Actions in the new unstable RSC modes.

Recommendation

Update the @remix-run/server-runtime package to the latest compatible version. Followings are version details:

Affected version(s): <= 2.17.2
Patched version(s): 2.17.3

References

GHSA-h5cw-625j-3rxh
CVE-2026-22030
CWE-346
CWE-352
CAPEC-310
OWASP 2021-A1
OWASP 2021-A6
OWASP 2021-A7

Related Issues

Astro has memory exhaustion DoS due to missing request body size limit in Server Actions - CVE-2026-27729
Parse Server has a rate limit bypass via batch request endpoint - CVE-2026-30972
Undici has an HTTP Request/Response Smuggling issue - CVE-2026-1525
Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation - CVE-2026-2229

Tags:: npm; @remix-run/server-runtime

Anything's wrong? Let us know Last updated on January 11, 2026