React Router has CSRF issue in Action/Server Action Request Processing

Severity:: Medium

Description

React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route action handlers in Framework Mode, or when using React Server Actions in the new unstable RSC modes.

Recommendation

Update the @remix-run/server-runtime package to the latest compatible version. Followings are version details:

Affected version(s): <= 2.17.2
Patched version(s): 2.17.3

References

GHSA-h5cw-625j-3rxh
CVE-2026-22030
CWE-346
CWE-352
CAPEC-310
OWASP 2021-A1
OWASP 2021-A6
OWASP 2021-A7

Related Issues

enclave-vm Vulnerable to Sandbox Escape via Host Error Prototype Chain - CVE-2026-22686
Predictable results in nanoid generation when given non-integer values - CVE-2024-55565
HackMD MCP Server has Server-Side Request Forgery (SSRF) vulnerability - CVE-2025-59155
OpenList (frontend) allows XSS Attacks in the built-in Markdown Viewer - CVE-2025-50183

Tags:: npm; @remix-run/server-runtime

Anything's wrong? Let us know Last updated on January 11, 2026