Technologyglobal✓ verified · 90%

React Router: Potential CSRF via PUT/PATCH/DELETE document requests

Name: React Router: Potential CSRF via PUT/PATCH/DELETE document requests
Start: 2026-06-15T20:06:15Z
Location: Global (internet)

When: 2026-06-15 20:06 UTC
Where: Global (internet)
Category: cyber_advisory · npm

Certain CSRF checks in React Router v7 [Framework Mode]() were insufficient and run on POST requests, but were bypassed on PUT/PATCH/DELETE requests. This is a low severity vulnerability because modern browser protections (CORS preflight, SameSite cookies) already block the cross-origin attack vectors that this missing CSRF check would otherwise gate. > [!NOTE] > This does not impact your React Router application if you are using [Declarative Mode](https://reactrouter.com/start/modes#framework) (`<BrowserRouter>`) or [Data Mode](https://reactrouter.com/start/modes#data) (`createBrowserRouter`/`<RouterProvider>`).

Sources

GitHub Advisory Database ↗ · first seen 2026-06-15 20:06 UTC

Defaxon links out to the original reporting and never republishes article text.

Correlated events

Computed by the Defaxon correlation engine — linked by shared actors, co-location, and temporal proximity. Scored hypotheses, never causal claims.

No correlated events found in the current window. As more events arrive, connections form automatically.

← Back to the live map