AIKIDO-2025-10193
@react-router/express is vulnerable to Cross-Site Request Forgery (CSRF)
77
High Risk
This Affects:
@react-router/expressTL;DR
Affected versions of this package are affected by a design flaw where it constructs a Request object using the incoming request's properties (method, headers, body) and builds a new URL from req.protocol and req.hostname (derived from untrusted headers like X-Forwarded-Host or Host). This request is forwarded to the tainted URL without proper validation, allowing forgery attacks like crafting a malicious site that sends forged state-changing requests, such as POST, using the victim's session cookies.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
@react-router/express is vulnerable to Cross-Site Request Forgery (CSRF) in versions 7.0.0 - 7.4.0.
How to fix this
Upgrade the @react-router/express library to the patch version.
Links
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant