Bug 2491492 (CVE-2026-53663) - CVE-2026-53663 react-router: @remix-run/server-runtime: React Router: Insufficient CSRF protection allows integrity impact [NEEDINFO]
Summary: CVE-2026-53663 react-router: @remix-run/server-runtime: React Router: Insuffi...
Keywords:
Status: NEW
Alias: CVE-2026-53663
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-22 19:02 UTC by OSIDB Bzimport
Modified: 2026-06-23 11:56 UTC (History)
168 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:
abokovoy: needinfo? (gnaik)

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-22 19:02:00 UTC 
React Router is a router for React. From 7.12.0 until 7.15.1, certain CSRF checks in React Router v7 Framework Mode were insufficient and run on POST requests, but were bypassed on PUT/PATCH/DELETE requests. This is a low severity vulnerability because modern browser protections (CORS preflight, SameSite cookies) already block the cross-origin attack vectors that this missing CSRF check would otherwise gate. This vulnerability is fixed in 7.15.1.
Note You need to log in before you can comment on or make changes to this bug.