CVE-2025-59057
published 2026-01-10CVE-2025-59057: React Router is a router for React. In @remix-run/react versions 1.15.0 through 2.17.0. and react-router versions 7.0.0 through 7.8.2, a XSS vulnerability…
PriorityP344high7.6CVSS 3.1
AVNACLPRLUIRSCCHILAN
EPSS
0.45%
35.7th percentile
React Router is a router for React. In @remix-run/react versions 1.15.0 through 2.17.0. and react-router versions 7.0.0 through 7.8.2, a XSS vulnerability exists in in React Router's meta()/ APIs in Framework Mode when generating script:ld+json tags which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the tag. There is no impact if the application is being used in Declarative Mode () or Data Mode (createBrowserRouter/). This issue has been patched in @remix-run/react version 2.17.1 and react-router version 7.9.0.
Affected
6 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| remix-run | react | >= 1.15.0 < 2.17.1 | 2.17.1 |
| remix-run | react-router | — | — |
| remix-run | react-router | — | — |
| remix-run | react-router | >= 7.0.0 < 7.9.0 | 7.9.0 |
| shopify | react-router | 7.0.0 – 7.8.2 | — |
| shopify | remix-run_react | 1.15.0 – 2.17.0 | — |
CVSS provenance
nvdv3.17.6HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
vendor_redhat7.6HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
React Router has XSS Vulnerability
ghsa·2026-01-08
CVE-2025-59057 [HIGH] CWE-79 React Router has XSS Vulnerability
React Router has XSS Vulnerability
A XSS vulnerability exists in in React Router's `meta()`/`` APIs in [Framework Mode](https://reactrouter.com/start/modes#framework) when generating `script:ld+json` tags which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the tag.
> [!NOTE]
> This does not impact applications using [Declarative Mode](https://reactrouter.com/start/modes#declarative) (``) or [Data Mode](https://reactrouter.com/start/modes#data) (`createBrowserRouter`/``).
OSV
React Router has XSS Vulnerability
osv·2026-01-08
CVE-2025-59057 [HIGH] React Router has XSS Vulnerability
React Router has XSS Vulnerability
A XSS vulnerability exists in in React Router's `meta()`/`` APIs in [Framework Mode](https://reactrouter.com/start/modes#framework) when generating `script:ld+json` tags which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the tag.
> [!NOTE]
> This does not impact applications using [Declarative Mode](https://reactrouter.com/start/modes#declarative) (``) or [Data Mode](https://reactrouter.com/start/modes#data) (`createBrowserRouter`/``).
Red Hat
react-router: @remix-run/router: React Router XSS Vulnerability
vendor_redhat·2026-01-10·CVSS 7.6
CVE-2025-59057 [HIGH] CWE-79 react-router: @remix-run/router: React Router XSS Vulnerability
react-router: @remix-run/router: React Router XSS Vulnerability
React Router is a router for React. In @remix-run/react versions 1.15.0 through 2.17.0. and react-router versions 7.0.0 through 7.8.2, a XSS vulnerability exists in in React Router's meta()/ APIs in Framework Mode when generating script:ld+json tags which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the tag. There is no impact if the application is being used in Declarative Mode () or Data Mode (createBrowserRouter/). This issue has been patched in @remix-run/react version 2.17.1 and react-router version 7.9.0.
The cross site scripting flaw has been discovered in the npm react-router package. A XSS vulnerability exists in in React Router's meta()/ APIs in Framework Mode when
No detection rules found.
No public exploits indexed.
Wiz
CVE-2025-59057 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.6
CVE-2025-59057 [HIGH] CVE-2025-59057 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-59057 :
JavaScript vulnerability analysis and mitigation
React Router is a router for React. In @remix-run/react versions 1.15.0 through 2.17.0. and react-router versions 7.0.0 through 7.8.2, a XSS vulnerability exists in in React Router's meta()/ APIs in Framework Mode when generating script:ld+json tags which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the tag. There is no impact if the application is being used in Declarative Mode ( ) or Data Mode (createBrowserRouter/ ). This issue has been patched in @remix-run/react version 2.17.1 and react-router version 7.9.0.
Source : NVD
## 7.6
Score
Published January 10, 2026
Severity HIGH
CNA Score 7.6
Affected Technologies
JavaScript
React Router
Has Public Exploit Ye
Wiz
CVE-2025-68470 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 7.6
CVE-2025-68470 [HIGH] CVE-2025-68470 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2025-68470 :
React Router vulnerability analysis and mitigation
React Router is a router for React. In versions 6.0.0 through 6.30.1 and 7.0.0 through 7.9.5, an attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate(), , or redirect(), the app performs a navigation/redirect to an external URL. This is only an issue if you are passing untrusted content into navigation paths in your application code. This issue has been patched in versions 6.30.2 and 7.9.6.
Source : NVD
## 6.5
Score
Published January 10, 2026
Severity MEDIUM
CNA Score 6.5
Affected Technologies
React Router
Linux Red Hat
Has Public Exploit No
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (
Bugzilla
CVE-2025-59057 react-router: @remix-run/router: React Router XSS Vulnerability
bugzilla·2026-01-10·CVSS 7.6
CVE-2025-59057 [HIGH] CVE-2025-59057 react-router: @remix-run/router: React Router XSS Vulnerability
CVE-2025-59057 react-router: @remix-run/router: React Router XSS Vulnerability
React Router is a router for React. In @remix-run/react versions 1.15.0 through 2.17.0. and react-router versions 7.0.0 through 7.8.2, a XSS vulnerability exists in in React Router's meta()/ APIs in Framework Mode when generating script:ld+json tags which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the tag. There is no impact if the application is being used in Declarative Mode () or Data Mode (createBrowserRouter/). This issue has been patched in @remix-run/react version 2.17.1 and react-router version 7.9.0.
Discussion:
This issue has been addressed in the following products:
Red Hat Ansible Automation Platform 2.6 for RHEL 9
Red Hat Ansible Automation Pla
https://github.com/remix-run/react-router/security/advisories/GHSA-3cgp-3xvw-98x8https://access.redhat.com/errata/RHSA-2026:19712https://access.redhat.com/errata/RHSA-2026:3782https://access.redhat.com/errata/RHSA-2026:3958https://access.redhat.com/errata/RHSA-2026:3960https://access.redhat.com/security/cve/CVE-2025-59057https://bugzilla.redhat.com/show_bug.cgi?id=2428426https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-59057.json
2026-01-10
Published