CVE-2026-34077
published 2026-06-02CVE-2026-34077: React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components (RSC) APIs, there is a…
PriorityP339high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.29%
21.0th percentile
React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components (RSC) APIs, there is a potential client-side Cross-Site Scripting (XSS) vulnerability in the RSC redirect handling if redirects come from untrusted sources. This does not impact applications that are not using the unstable RSC APIs in React Router. This is patched in version 7.13.2.
Affected
94 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| advanced-cluster-security | rhacs-main-rhel8 | — | — |
| ansible-automation-platform-26 | gateway-rhel9 | — | — |
| ansible-automation-platform-27 | gateway-rhel9 | — | — |
| ansible-automation-platform | automation-portal | — | — |
| ansible-on-clouds | aoc-azure-aap-installer-rhel9 | — | — |
| apicurio | apicurio-registry-ui-rhel8 | — | — |
| apicurio | apicurio-registry-ui-rhel9 | — | — |
| clusterlabs | pcs | — | — |
| container-native-virtualization | kubevirt-console-plugin | — | — |
| container-native-virtualization | kubevirt-console-plugin-rhel9 | — | — |
| devspaces | dashboard-rhel9 | — | — |
| devspaces | openvsx-rhel9 | — | — |
| discovery | discovery-ui-rhel9 | — | — |
| exploit-intelligence-tech-preview | agent-client-rhel9 | — | — |
| gatekeeper | gatekeeper-rhel9 | — | — |
| grafana | grafana | — | — |
| migration-toolkit-virtualization | mtv-console-plugin-rhel9 | — | — |
| mozilla | thunderbird | — | — |
| mta | mta-ui-rhel8 | — | — |
| mta | mta-ui-rhel9 | — | — |
| mtv-candidate | mtv-console-plugin-rhel9 | — | — |
| multicluster-engine | console-mce-rhel9 | — | — |
| network-observability | network-observability-console-plugin-compat-rhel9 | — | — |
| network-observability | network-observability-console-plugin-rhel9 | — | — |
| odf4 | ocs-client-console-rhel9 | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
React Router vulnerable to Denial of Service via reflected user input in single-fetch
ghsa·2026-06-04
CVE-2026-34077 [HIGH] CWE-770 React Router vulnerable to Denial of Service via reflected user input in single-fetch
React Router vulnerable to Denial of Service via reflected user input in single-fetch
A DoS vulnerability exists in the React Router v7 [Framework Mode](https://reactrouter.com/start/modes#framework), as well as Remix v2.9.0+ with [Single Fetch](https://v2.remix.run/docs/guides/single-fetch) enabled. In some scenarios the underlying serialization algorithm can become a bottleneck when encoding specific types of data into server responses. Please upgrade to React Router v7.14.0 or later.
> [!NOTE]
> This does not impact your React Router application if you are using [Declarative Mode](https://reactrouter.com/start/modes#declarative) (``) or [Data Mode](https://reactrouter.com/start/modes#data) (`createBrowserRouter`/``).
VulDB
remix-run react-router/turbo-stream up to 7.13.x allocation of resources (GHSA-rxv8-25v2-qmq8)
vuldb·2026-06-03·CVSS 7.5
CVE-2026-34077 [HIGH] remix-run react-router/turbo-stream up to 7.13.x allocation of resources (GHSA-rxv8-25v2-qmq8)
A vulnerability was found in remix-run react-router and turbo-stream up to 7.13.x. It has been classified as problematic. This affects an unknown function. Performing a manipulation results in allocation of resources.
This vulnerability is cataloged as CVE-2026-34077. It is possible to initiate the attack remotely. There is no exploit available.
Upgrading the affected component is recommended.
Red Hat
react-router: React Router: Denial of Service via client-side Cross-Site Scripting in RSC redirect handling
vendor_redhat·2026-06-02·CVSS 7.5
CVE-2026-34077 [HIGH] CWE-79 react-router: React Router: Denial of Service via client-side Cross-Site Scripting in RSC redirect handling
react-router: React Router: Denial of Service via client-side Cross-Site Scripting in RSC redirect handling
A flaw was found in React Router (versions 7.7.0 through 7.13.1). When using the unstable React Server Components (RSC) APIs, insufficient sanitization of redirect targets allows client-side cross-site scripting if redirects originate from untrusted sources. An attacker could inject script that disrupts application availability for the victim user. Applications not using the unstable RSC APIs are not affected. Fixed in React Router 7.13.2.
Statement: React Router is vulnerable to client-side XSS in unstable RSC redirect handling when redirects come from untrusted sources. A remote unauthenticated attacker who can cause a victim to follow a crafted redirect (user interaction require
No detection rules found.
No public exploits indexed.
2026-06-02
Published