Intel

AIKIDO-2026-442287

remix-utils is vulnerable to Cross-Site Request Forgery (CSRF)

Cross-Site Request Forgery (CSRF) Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Jul 2, 2026

53

Medium Risk

This Affects:

JSremix-utils
8.0.0 - 9.3.1
Fixed in 10.0.0
Are you affected? Scan for Free

TL;DR

The CSRF server helper in src/server/csrf.ts signs authenticity tokens with a plain SHA-256 hash of the token value and ignores the configured secret. Because the signature is an unkeyed hash, anyone can recompute a valid signature for any token value without knowing the secret, so forged or tampered tokens pass signature verification. Verification also compares signatures with a direct string equality check that is not constant-time. The fix signs tokens with HMAC-SHA256 keyed by the configured secret and verifies signatures using a constant-time comparison.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and configure the CSRF helper with a secret.

Background info

remix-utils is vulnerable to Cross-Site Request Forgery (CSRF) in versions 8.0.0 - 9.3.1.

How to fix this

Upgrade the remix-utils library to the patch version.