remix-utils is vulnerable to Cross-Site Request Forgery (CSRF)
53
Medium Risk
The CSRF server helper in src/server/csrf.ts signs authenticity tokens with a plain SHA-256 hash of the token value and ignores the configured secret. Because the signature is an unkeyed hash, anyone can recompute a valid signature for any token value without knowing the secret, so forged or tampered tokens pass signature verification. Verification also compares signatures with a direct string equality check that is not constant-time. The fix signs tokens with HMAC-SHA256 keyed by the configured secret and verifies signatures using a constant-time comparison.
You are affected if you are using a version that falls within the vulnerable range and configure the CSRF helper with a secret.
remix-utils is vulnerable to Cross-Site Request Forgery (CSRF) in versions 8.0.0 - 9.3.1.
Upgrade the remix-utils library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant