CVE-2026-53663: CWE-352: Cross-Site Request Forgery (CSRF) in remix-run react-router
React Router is a router for React. From 7.12.0 until 7.15.1, certain CSRF checks in React Router v7 Framework Mode were insufficient and run on POST requests, but were bypassed on PUT/PATCH/DELETE requests. This is a low severity vulnerability because modern browser protections (CORS preflight, SameSite cookies) already block the cross-origin attack vectors that this missing CSRF check would otherwise gate. This vulnerability is fixed in 7.15.1.
AI Analysis
Technical Summary
React Router v7 Framework Mode versions 7.12.0 through 7.15.0 have incomplete CSRF protections: CSRF checks are performed on POST requests but are bypassed on PUT, PATCH, and DELETE requests. This weakness could allow cross-site request forgery attacks on these HTTP methods. However, modern browser security features like CORS preflight requests and SameSite cookie attributes reduce the risk of exploitation. The vulnerability is addressed in React Router version 7.15.1.
Potential Impact
The vulnerability could allow an attacker to perform unauthorized state-changing requests (PUT, PATCH, DELETE) via CSRF if browser protections are bypassed or misconfigured. However, the impact is limited because modern browsers enforce CORS preflight and SameSite cookie policies that block most cross-origin CSRF attempts. No confidentiality or availability impacts are reported.
Mitigation Recommendations
Upgrade React Router to version 7.15.1 or later where this CSRF protection issue is fixed. Until then, rely on modern browser protections such as CORS preflight and SameSite cookies to mitigate risk. No additional vendor advisory or patch information is provided, so check the official remix-run repository or release notes for updates.
CVE-2026-53663: CWE-352: Cross-Site Request Forgery (CSRF) in remix-run react-router
Description
React Router is a router for React. From 7.12.0 until 7.15.1, certain CSRF checks in React Router v7 Framework Mode were insufficient and run on POST requests, but were bypassed on PUT/PATCH/DELETE requests. This is a low severity vulnerability because modern browser protections (CORS preflight, SameSite cookies) already block the cross-origin attack vectors that this missing CSRF check would otherwise gate. This vulnerability is fixed in 7.15.1.
CVSS v3.1
Score 3.1low
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
React Router v7 Framework Mode versions 7.12.0 through 7.15.0 have incomplete CSRF protections: CSRF checks are performed on POST requests but are bypassed on PUT, PATCH, and DELETE requests. This weakness could allow cross-site request forgery attacks on these HTTP methods. However, modern browser security features like CORS preflight requests and SameSite cookie attributes reduce the risk of exploitation. The vulnerability is addressed in React Router version 7.15.1.
Potential Impact
The vulnerability could allow an attacker to perform unauthorized state-changing requests (PUT, PATCH, DELETE) via CSRF if browser protections are bypassed or misconfigured. However, the impact is limited because modern browsers enforce CORS preflight and SameSite cookie policies that block most cross-origin CSRF attempts. No confidentiality or availability impacts are reported.
Mitigation Recommendations
Upgrade React Router to version 7.15.1 or later where this CSRF protection issue is fixed. Until then, rely on modern browser protections such as CORS preflight and SameSite cookies to mitigate risk. No additional vendor advisory or patch information is provided, so check the official remix-run repository or release notes for updates.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-06-09T20:50:36.877Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a398861eed863c81e5021be
Added to database: 06/22/2026, 19:09:21 UTC
Last enriched: 06/22/2026, 19:24:50 UTC
Last updated: 06/22/2026, 23:12:30 UTC
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.