CVE-2026-42342
published 2026-06-02CVE-2026-42342: React Router is a router for React. In versions 7.0.0 through 7.14.x of react-router and versions 2.10.0 through 2.17.4 of @remix-run/server-runtime, certain…
PriorityP345high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.30%
21.5th percentile
React Router is a router for React. In versions 7.0.0 through 7.14.x of react-router and versions 2.10.0 through 2.17.4 of @remix-run/server-runtime, certain crafted requests can consume disproportionate server resources via unbounded path expansion in the __manifest endpoint, resulting in response time degradation and/or service unavailability for end users. This affects React Router Framework Mode applications as well as Remix applications. This does not impact applications using Declarative Mode (``) or Data Mode (`createBrowserRouter/`). This is patched in react-router version 7.15.0 and @remix-run/server-runtime version 2.17.5.
Affected
84 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| advanced-cluster-security | rhacs-main-rhel8 | — | — |
| ansible-automation-platform-26 | gateway-rhel9 | — | — |
| ansible-automation-platform-27 | gateway-rhel9 | — | — |
| ansible-automation-platform | automation-portal | — | — |
| ansible-on-clouds | aoc-azure-aap-installer-rhel9 | — | — |
| apicurio | apicurio-registry-ui-rhel8 | — | — |
| apicurio | apicurio-registry-ui-rhel9 | — | — |
| clusterlabs | pcs | — | — |
| container-native-virtualization | kubevirt-console-plugin | — | — |
| devspaces | dashboard-rhel9 | — | — |
| devspaces | openvsx-rhel9 | — | — |
| discovery | discovery-ui-rhel9 | — | — |
| exploit-intelligence-tech-preview | agent-client-rhel9 | — | — |
| gatekeeper | gatekeeper-rhel9 | — | — |
| grafana | grafana | — | — |
| migration-toolkit-virtualization | mtv-console-plugin-rhel9 | — | — |
| mozilla | thunderbird | — | — |
| mta | mta-ui-rhel8 | — | — |
| mta | mta-ui-rhel9 | — | — |
| mtv-candidate | mtv-console-plugin-rhel9 | — | — |
| multicluster-engine | console-mce-rhel9 | — | — |
| network-observability | network-observability-console-plugin-compat-rhel9 | — | — |
| network-observability | network-observability-console-plugin-rhel9 | — | — |
| odf4 | ocs-client-console-rhel9 | — | — |
| odf4 | odf-console-rhel9 | — | — |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint
ghsa·2026-06-03
CVE-2026-42342 [HIGH] CWE-400 React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint
React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint
There exists a potential DOS attack vector in React Router Framework Mode applications (as well as Remix v2.10.0 - 2.17.4). Certain requests can be crafted to consume disproportionate resources on the server, resulting in response time degredation and/or service unavailability for end users.
> [!NOTE]
> This does not impact your React Router application if you are using [Declarative Mode](https://reactrouter.com/start/modes#declarative) (``) or [Data Mode](https://reactrouter.com/start/modes#data) (`createBrowserRouter`/``).
VulDB
remix-run react-router up to 7.14.x Requests resource consumption (GHSA-8x6r-g9mw-2r78)
vuldb·2026-06-03·CVSS 7.5
CVE-2026-42342 [HIGH] remix-run react-router up to 7.14.x Requests resource consumption (GHSA-8x6r-g9mw-2r78)
A vulnerability was found in remix-run react-router up to 7.14.x and classified as problematic. This issue affects some unknown processing of the component Requests Handler. The manipulation results in resource consumption.
This vulnerability is cataloged as CVE-2026-42342. The attack may be launched remotely. There is no exploit available.
It is suggested to upgrade the affected component.
Red Hat
react-router: @remix-run/server-runtime: React Router / Remix: Denial of Service via unbounded path expansion in __manifest endpoint
vendor_redhat·2026-06-02·CVSS 7.5
CVE-2026-42342 [HIGH] CWE-770 react-router: @remix-run/server-runtime: React Router / Remix: Denial of Service via unbounded path expansion in __manifest endpoint
react-router: @remix-run/server-runtime: React Router / Remix: Denial of Service via unbounded path expansion in __manifest endpoint
React Router is a router for React. In versions 7.0.0 through 7.14.x of react-router and versions 2.10.0 through 2.17.4 of @remix-run/server-runtime, certain crafted requests can consume disproportionate server resources via unbounded path expansion in the __manifest endpoint, resulting in response time degradation and/or service unavailability for end users. This affects React Router Framework Mode applications as well as Remix applications. This does not impact applications using Declarative Mode (``) or Data Mode (`createBrowserRouter/`). This is patched in react-router version 7.15.0 and @remix-run/server-runtime version 2.17.5.
A flaw was found in Reac
No detection rules found.
No public exploits indexed.
2026-06-02
Published