React Router / Remix Patch CSRF Vulnerability in Server Actions (CVE-2026-22030)

What happened

• The React Router / Remix runtime teams published a security advisory (CVE-2026-22030 / GHSA-h5cw-625j-3rxh) describing a cross-site request forgery (CSRF) / origin‑validation flaw that can be triggered by document POST requests when using server-side route action handlers in Framework Mode or when using experimental React Server Actions. The issue is rated Moderate (CVSS 6.5). Patched releases are available. (github.com)

Why this matters to full‑stack teams

• Server-side route actions and React Server Actions execute or trigger server logic directly from UI routes. A CSRF gap in that request-processing path lets an attacker with an authenticated victim induce unwanted state changes (for example: change data, perform transactions, or modify settings) by getting the victim to load a malicious page that submits a POST to your app.
• Teams using Framework Mode, Remix v2, or unstable RSC/Server Action features are the primary risk group — apps using Declarative Mode () or Data Mode (createBrowserRouter/RouterProvider) are not affected according to the advisory. (github.com)

Immediate actions (priority order)

1. Update dependencies now
   • Upgrade @remix-run/server-runtime to >= 2.17.3 and react-router to >= 7.12.0 in any projects that use Framework Mode or Server Actions. Treat this like any other dependency security patch: run tests and deploy as soon as CI greenlights it. (github.com)
2. Identify affected code paths
   • Audit routes that expose server-side action handlers, server functions, or experimental Server Actions. Focus on any document POST endpoints that accept form data or mutate state.
3. Apply runtime mitigations until every service is patched
   • Require explicit anti‑CSRF protections for affected endpoints (CSRF tokens, SameSite=strict cookies for session cookies, origin/referrer checks) and prefer state‑changing endpoints that require an explicit header or token that browsers won’t send automatically.
4. CI / dependency hygiene
   • Ensure dependency scans (npm audit, Snyk, Dependabot/GitHub Dependabot security updates) are active and auto-create PRs for this advisory; pin and test transitive upgrades in staging before production rollout.

Detection and verification

• Inventory: run dependency checks (npm ls @remix-run/server-runtime react-router or equivalent in other package managers) across repositories and build pipelines.
• Runtime checks: look for unexpected POSTs to UI routes in access logs and web application firewalls; verify that requests that mutate state require either a validated CSRF token or an explicit API header not present in automatic cross-origin form submissions.
• Tests: add integration tests simulating CSRF attempts against action endpoints (missing token, wrong origin) to prevent regressions.

Longer-term mitigations and best practices

• Prefer explicit API routes for state changes: keep UI routing separate from mutation endpoints when possible, and make mutation endpoints require CSRF tokens or bearer tokens.
• Harden Server Actions usage: avoid enabling unstable RSC/Server Action features in production until you can fully evaluate the security model or until upstream projects mark them stable with hardened request validation.
• Automate: block merging of dependency updates without automated test coverage for server‑side handlers and consider runtime feature flags that disable experimental server features by default.

Summary CVE-2026-22030 is a practical CSRF/origin-validation flaw in server-side action handling used by React Router / Remix runtimes. If your stack uses Framework Mode or the unstable Server Actions path, upgrade to the patched runtime versions immediately, audit affected endpoints, and add CSRF/Origin protections as needed. (github.com)

Source: GitHub security advisory — GHSA-h5cw-625j-3rxh (React Router / @remix-run/server-runtime). (github.com)

Source

• Source