CVE-2026-22030: React Router has CSRF issue in Action/Server Action Request Processing

January 8, 2026 (updated January 11, 2026)

React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route action handlers in Framework Mode, or when using React Server Actions in the new unstable RSC modes.

[!NOTE] This does not impact applications that use Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).

References

github.com/advisories/GHSA-h5cw-625j-3rxh
github.com/remix-run/react-router
github.com/remix-run/react-router/security/advisories/GHSA-h5cw-625j-3rxh
nvd.nist.gov/vuln/detail/CVE-2026-22030

Code Behaviors & Features

Detect and mitigate CVE-2026-22030 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →