@remix-run/server-runtime 2.14.0

Direct Vulnerabilities

Known vulnerabilities in the @remix-run/server-runtime package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Allocation of Resources Without Limits or Throttling @remix-run/server-runtime is a Server runtime for Remix Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the `__manifest` endpoint. An attacker can exhaust server resources and cause service disruption by sending specially crafted requests that trigger unbounded path expansion. Note: Users that utilise Declarative Mode (`<BrowserRouter>`) or Data Mode (`createBrowserRouter/<RouterProvider>`) are not affected by this issue. How to fix Allocation of Resources Without Limits or Throttling? Upgrade `@remix-run/server-runtime` to version 2.17.5 or higher.	>=2.10.0 <2.17.5
M Cross-site Request Forgery (CSRF) @remix-run/server-runtime is a Server runtime for Remix Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) due to the improper origin checks of UI route submissions in server-side route `action` handlers in Framework Mode. An attacker can execute unauthorized actions by tricking a user into submitting a crafted POST request to a UI route. Note: This issue does not impact applications using Declarative Mode `<BrowserRouter>` or Data Mode `createBrowserRouter/<RouterProvider>`. How to fix Cross-site Request Forgery (CSRF)? Upgrade `@remix-run/server-runtime` to version 2.17.3 or higher.	<2.17.3

Vulnerability

Vulnerable Version

Allocation of Resources Without Limits or Throttling

@remix-run/server-runtime is a Server runtime for Remix

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the __manifest endpoint. An attacker can exhaust server resources and cause service disruption by sending specially crafted requests that trigger unbounded path expansion.

Note:

Users that utilise Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) are not affected by this issue.

How to fix Allocation of Resources Without Limits or Throttling?

Upgrade @remix-run/server-runtime to version 2.17.5 or higher.

>=2.10.0 <2.17.5

Cross-site Request Forgery (CSRF)

@remix-run/server-runtime is a Server runtime for Remix

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) due to the improper origin checks of UI route submissions in server-side route action handlers in Framework Mode. An attacker can execute unauthorized actions by tricking a user into submitting a crafted POST request to a UI route.

Note:

This issue does not impact applications using Declarative Mode <BrowserRouter> or Data Mode createBrowserRouter/<RouterProvider>.

How to fix Cross-site Request Forgery (CSRF)?

Upgrade @remix-run/server-runtime to version 2.17.3 or higher.

<2.17.3

@remix-run/server-runtime@2.14.0

Server runtime for Remix

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically