Plattform
nodejs
Komponente
react-router
Behoben in
2.17.4
7.0.1
7.12.0
A Cross-Site Request Forgery (CSRF) vulnerability exists in React Router (and Remix v2) when using server-side route action handlers in Framework Mode, or React Server Actions in unstable RSC modes. This allows an attacker to potentially trigger unintended document POST requests, leading to unauthorized actions within the application. The vulnerability affects versions prior to 7.12.0; upgrading to this version resolves the issue.
The primary impact of CVE-2026-22030 is the potential for attackers to exploit CSRF vulnerabilities to perform unauthorized actions within a React Router application. Specifically, an attacker could craft malicious requests that, when triggered by a user, would result in unintended document POST requests being sent to the server. This could lead to data modification, account compromise, or other sensitive operations depending on the application's functionality. The vulnerability is particularly concerning in applications that handle sensitive data or perform critical actions via POST requests, as it bypasses standard authentication mechanisms.
This vulnerability was publicly disclosed on January 8, 2026. There are currently no known public proof-of-concept exploits available. The CVSS score is 6.5 (MEDIUM), indicating a moderate risk. It is not currently listed on the CISA KEV catalog. The vulnerability specifically targets applications utilizing React Router's Framework Mode or React Server Actions, so applications using Declarative Mode or Data Mode are not affected.
Applications built with React Router (or Remix v2) that utilize server-side route action handlers in Framework Mode, or React Server Actions in unstable RSC modes, are at risk. This includes applications that handle sensitive data or perform critical actions via POST requests. Developers using older versions of React Router and relying on Declarative or Data Mode are not directly affected.
• nodejs: Monitor application logs for unusual POST requests to UI routes, especially those originating from external sources.
grep -i 'POST /ui/route' access.log• nodejs: Check for any unauthorized modifications to data or user accounts that could be attributed to CSRF attacks.
# Review audit logs for suspicious activity
journalctl -u your-app -g 'CSRF attack'• generic web: Inspect response headers for unexpected redirects or changes in application state after a user visits a potentially malicious link. Use curl to test endpoints.
curl -v https://your-app.com/ui/routedisclosure
Exploit-Status
EPSS
0.02% (5% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-22030 is to upgrade to React Router version 7.12.0 or later. This version includes fixes to prevent the CSRF vulnerability. If upgrading is not immediately feasible, consider implementing additional CSRF protection measures, such as using CSRF tokens for all document POST requests. Ensure that your application's server-side route handlers properly validate and sanitize all incoming data to prevent malicious input from being processed. Review and update any existing CSRF protection mechanisms to ensure they are effective against this specific vulnerability.
Aktualisieren Sie die react-router-Bibliothek auf Version 7.12.0 oder höher. Dies behebt die CSRF-Schwachstelle bei der Verarbeitung von Action/Server Action-Anfragen. Führen Sie `npm update react-router` oder `yarn upgrade react-router` aus, um auf die sichere Version zu aktualisieren.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-22030 is a Cross-Site Request Forgery (CSRF) vulnerability affecting React Router (and Remix v2) versions before 7.12.0, allowing attackers to trigger unintended POST requests.
You are affected if you use React Router (or Remix v2) and are using server-side route actions in Framework Mode or React Server Actions in unstable RSC modes with versions prior to 7.12.0.
Upgrade to React Router version 7.12.0 or later. Consider implementing CSRF tokens for all document POST requests as an additional layer of protection.
As of now, there are no known active exploits or campaigns targeting CVE-2026-22030, but it's crucial to apply the patch proactively.
Refer to the official React Router documentation and blog for updates and advisories: https://reactrouter.com/start/modes
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.