CVE-2026-53663 Overview
CVE-2026-53663 affects React Router, a routing library for React applications. The vulnerability exists in React Router v7 Framework Mode from version 7.12.0 until 7.15.1. Cross-Site Request Forgery (CSRF) checks ran on POST requests but were bypassed on PUT, PATCH, and DELETE requests. The flaw is categorized as [CWE-352] Cross-Site Request Forgery. Modern browser protections such as CORS preflight checks and SameSite cookie defaults already block most cross-origin attack vectors that the missing CSRF check would otherwise gate. The issue is fixed in version 7.15.1.
Critical Impact
Attackers exploiting this flaw could bypass CSRF protections on non-POST HTTP methods, but practical exploitation requires user interaction and is constrained by modern browser security defaults.
Affected Products
- React Router v7 Framework Mode versions 7.12.0 through 7.15.0
- Applications using React Router v7 server-side action handlers with PUT, PATCH, or DELETE methods
- The remix-run/react-router package distributed via npm
Discovery Timeline
- 2026-06-22 - CVE-2026-53663 published to NVD
- 2026-06-23 - Last updated in NVD database
Technical Details for CVE-2026-53663
Vulnerability Analysis
React Router v7 Framework Mode includes server-side action handlers that process state-changing HTTP requests. The framework implements CSRF validation to prevent cross-origin attackers from forging authenticated requests against a user's session. The validation logic was applied to POST requests but did not extend to PUT, PATCH, and DELETE methods. An application relying on React Router's built-in CSRF check for these methods would process forged requests without verification.
Exploitation requires a victim to interact with attacker-controlled content while authenticated to the target application. The attacker would need to trigger a same-origin or otherwise permitted cross-origin request using PUT, PATCH, or DELETE against the React Router server endpoint. The attack is constrained by browser CORS preflight requirements and SameSite cookie defaults, which block most simple cross-origin scenarios.
Root Cause
The root cause is incomplete enforcement of CSRF token validation within React Router's framework-mode request handling. The validation branch covered POST handlers but omitted the equivalent checks for PUT, PATCH, and DELETE method handlers. The asymmetry left a logic gap that allowed state-changing requests on non-POST methods to bypass the protection.
Attack Vector
The attack vector is network-based and requires user interaction. An attacker hosts a page that issues a PUT, PATCH, or DELETE request to a vulnerable React Router endpoint. If browser-level protections do not block the request, the application processes it as authenticated without CSRF verification. The complexity is high because the attacker must circumvent CORS preflight rules and SameSite cookie behavior to reach the vulnerable code path. See the GitHub Security Advisory GHSA-84g9-w2xq-vcv6 for the upstream technical description.
Detection Methods for CVE-2026-53663
Indicators of Compromise
- Unexpected PUT, PATCH, or DELETE requests in web server access logs targeting React Router action endpoints from external referrers
- Server-side action invocations lacking expected CSRF token headers or form fields on non-POST methods
- State-changing operations executed without a corresponding prior GET or authenticated workflow
Detection Strategies
- Inventory all applications using react-router and confirm versions against the affected range 7.12.0 to 7.15.0
- Inspect server action handlers for routes accepting PUT, PATCH, or DELETE methods and validate that explicit CSRF checks are performed
- Review web application firewall (WAF) logs for cross-origin requests using non-POST methods against application endpoints
Monitoring Recommendations
- Enable verbose request logging on React Router server endpoints, capturing HTTP method, Origin header, and Referer header
- Alert on PUT, PATCH, or DELETE requests originating from unexpected origins or lacking session-consistent referers
- Track package versions across CI/CD pipelines to identify deployments running vulnerable react-router releases
How to Mitigate CVE-2026-53663
Immediate Actions Required
- Upgrade React Router to version 7.15.1 or later in all affected applications
- Audit application routes that handle PUT, PATCH, or DELETE methods and confirm CSRF tokens are validated server-side
- Verify that authentication cookies are configured with SameSite=Lax or SameSite=Strict as a defense-in-depth measure
Patch Information
The vulnerability is fixed in React Router 7.15.1. Update the react-router dependency in package.json and rebuild affected applications. Refer to the GitHub Security Advisory GHSA-84g9-w2xq-vcv6 for upstream patch details.
Workarounds
- Implement application-level CSRF validation in action handlers for PUT, PATCH, and DELETE methods until the patch is applied
- Enforce strict CORS policies that reject cross-origin requests with non-simple HTTP methods
- Configure session cookies with the SameSite=Strict attribute to limit cross-site request inclusion
# Configuration example
npm install react-router@7.15.1
# Verify the installed version
npm ls react-router
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

