Platform
nodejs
Component
react-router
Fixed in
2.17.4
7.0.1
7.12.0
A Cross-Site Request Forgery (CSRF) vulnerability exists in React Router (and Remix v2) when using server-side route action handlers in Framework Mode, or React Server Actions in unstable RSC modes. This allows an attacker to potentially trigger unintended document POST requests, leading to unauthorized actions within the application. The vulnerability affects versions prior to 7.12.0; upgrading to this version resolves the issue.
The primary impact of CVE-2026-22030 is the potential for attackers to exploit CSRF vulnerabilities to perform unauthorized actions within a React Router application. Specifically, an attacker could craft malicious requests that, when triggered by a user, would result in unintended document POST requests being sent to the server. This could lead to data modification, account compromise, or other sensitive operations depending on the application's functionality. The vulnerability is particularly concerning in applications that handle sensitive data or perform critical actions via POST requests, as it bypasses standard authentication mechanisms.
This vulnerability was publicly disclosed on January 8, 2026. There are currently no known public proof-of-concept exploits available. The CVSS score is 6.5 (MEDIUM), indicating a moderate risk. It is not currently listed on the CISA KEV catalog. The vulnerability specifically targets applications utilizing React Router's Framework Mode or React Server Actions, so applications using Declarative Mode or Data Mode are not affected.
Exploit Status
EPSS
0.02% (5% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-22030 is to upgrade to React Router version 7.12.0 or later. This version includes fixes to prevent the CSRF vulnerability. If upgrading is not immediately feasible, consider implementing additional CSRF protection measures, such as using CSRF tokens for all document POST requests. Ensure that your application's server-side route handlers properly validate and sanitize all incoming data to prevent malicious input from being processed. Review and update any existing CSRF protection mechanisms to ensure they are effective against this specific vulnerability.
Update the react-router library to version 7.12.0 or higher. This fixes the CSRF vulnerability in Action/Server Action request processing. Run `npm update react-router` or `yarn upgrade react-router` to update to the secure version.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-22030 is a Cross-Site Request Forgery (CSRF) vulnerability affecting React Router (and Remix v2) versions before 7.12.0, allowing attackers to trigger unintended POST requests.
You are affected if you use React Router (or Remix v2) and are using server-side route actions in Framework Mode or React Server Actions in unstable RSC modes with versions prior to 7.12.0.
Upgrade to React Router version 7.12.0 or later. Consider implementing CSRF tokens for all document POST requests as an additional layer of protection.
As of now, there are no known active exploits or campaigns targeting CVE-2026-22030, but it's crucial to apply the patch proactively.
Refer to the official React Router documentation and blog for updates and advisories: https://reactrouter.com/start/modes
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.