cbcvebase.

Remix-Run React-Router vulnerabilities

16 known vulnerabilities affecting remix-run/react-router.

Total CVEs
16
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH8MEDIUM6LOW1

Vulnerabilities

Page 1 of 1
CVE-2025-61686P2CRITICALCVSS 9.1v@react-router/node >= 7.0.0, < 7.9.4v@remix-run/deno < 2.17.2+1 more2026-01-10
CVE-2025-61686 [CRITICAL] CWE-22 CVE-2025-61686: React Router is a router for React. In @react-router/node versions 7.0.0 through 7.9.3, @remix-run/d React Router is a router for React. In @react-router/node versions 7.0.0 through 7.9.3, @remix-run/deno prior to version 2.17.2, and @remix-run/node prior to version 2.17.2, if createFileSessionStorage() is being used from @react-router/node (or @remix-run/node/@remix-run/deno in Remix v2) with an unsigned cookie, it is possible for an attacker to
nvd
CVE-2025-43864P3HIGHCVSS 7.5v>= 7.2.0, < 7.5.22025-04-25
CVE-2025-43864 [HIGH] CWE-755 CVE-2025-43864: React Router is a router for React. Starting in version 7.2.0 and prior to version 7.5.2, it is poss React Router is a router for React. Starting in version 7.2.0 and prior to version 7.5.2, it is possible to force an application to switch to SPA mode by adding a header to the request. If the application uses SSR and is forced to switch to SPA, this causes an error that completely corrupts the page. If a cache system is in place, this allows the resp
ghsanvdosv
CVE-2026-42211P3HIGHCVSS 8.1v>= 7.0.0, < 7.14.22026-06-02
CVE-2026-42211 [HIGH] CWE-502 CVE-2026-42211: React Router is a router for React. In versions 7.0.0 through 7.14.1, when using Framework Mode, a c React Router is a router for React. In versions 7.0.0 through 7.14.1, when using Framework Mode, a combination of steps could potentially allow unauthorized remote code execution (RCE) through external requests. This attack requires the application code to have an existing prototype pollution vulnerability, which can then be leveraged in a 2-step atta
ghsanvd
CVE-2025-43865P3HIGHCVSS 8.2v>= 7.0, < 7.5.22025-04-25
CVE-2025-43865 [HIGH] CWE-345 CVE-2025-43865: React Router is a router for React. In versions on the 7.0 branch prior to version 7.5.2, it's possi React Router is a router for React. In versions on the 7.0 branch prior to version 7.5.2, it's possible to modify pre-rendered data by adding a header to the request. This allows to completely spoof its contents and modify all the values ​​of the data object passed to the HTML. This issue has been patched in version 7.5.2.
ghsanvdosv
CVE-2026-42342P3HIGHCVSS 7.5v>= 7.0.0, < 7.15.02026-06-02
CVE-2026-42342 [HIGH] CWE-400 CVE-2026-42342: React Router is a router for React. In versions 7.0.0 through 7.14.x of react-router and versions 2. React Router is a router for React. In versions 7.0.0 through 7.14.x of react-router and versions 2.10.0 through 2.17.4 of @remix-run/server-runtime, certain crafted requests can consume disproportionate server resources via unbounded path expansion in the __manifest endpoint, resulting in response time degradation and/or service unavailability for en
ghsanvd
CVE-2026-21884P3HIGHCVSS 8.2v@remix-run/react < 2.17.3vreact-router >= 7.0.0, < 7.12.02026-01-10
CVE-2026-21884 [HIGH] CWE-79 CVE-2026-21884: React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7. React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, a XSS vulnerability exists in in React Router's API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to gene
ghsanvdosv
CVE-2025-59057P3HIGHCVSS 7.6v@remix-run/react >= 1.15.0, < 2.17.1vreact-router >= 7.0.0, < 7.9.02026-01-10
CVE-2025-59057 [HIGH] CWE-79 CVE-2025-59057: React Router is a router for React. In @remix-run/react versions 1.15.0 through 2.17.0. and react-ro React Router is a router for React. In @remix-run/react versions 1.15.0 through 2.17.0. and react-router versions 7.0.0 through 7.8.2, a XSS vulnerability exists in in React Router's meta()/ APIs in Framework Mode when generating script:ld+json tags which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the
ghsanvdosv
CVE-2025-31137P3HIGHCVSS 7.5v>= 7.0.0, < 7.4.1v>= 2.11.1, < 2.16.32025-04-01
CVE-2025-31137 [HIGH] CWE-444 CVE-2025-31137: React Router is a multi-strategy router for React bridging the gap from React 18 to React 19. There React Router is a multi-strategy router for React bridging the gap from React 18 to React 19. There is a vulnerability in Remix/React Router that affects all Remix 2 and React Router 7 consumers using the Express adapter. Basically, this vulnerability allows anyone to spoof the URL used in an incoming Request by putting a URL pathname in the port secti
nvd
CVE-2026-34077P3HIGHCVSS 7.5v>= 7.0.0, < 7.14.02026-06-02
CVE-2026-34077 [HIGH] CWE-770 CVE-2026-34077: React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unst React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components (RSC) APIs, there is a potential client-side Cross-Site Scripting (XSS) vulnerability in the RSC redirect handling if redirects come from untrusted sources. This does not impact applications that are not using the unstable R
ghsanvd
CVE-2025-68470P3MEDIUMCVSS 6.5v>= 7.0.0, < 7.9.6v>= 6.0.0, < 6.30.22026-01-10
CVE-2025-68470 [MEDIUM] CWE-601 CVE-2025-68470: React Router is a router for React. In versions 6.0.0 through 6.30.1 and 7.0.0 through 7.9.5, an att React Router is a router for React. In versions 6.0.0 through 6.30.1 and 7.0.0 through 7.9.5, an attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate(), , or redirect(), the app performs a navigation/redirect to an external URL. This is only an issue if you are passing untrusted content into navi
ghsanvdosv
CVE-2026-22030P4MEDIUMCVSS 6.5v@remix-run/router < 2.17.3vreact-router >= 7.0.0, < 7.12.02026-01-10
CVE-2026-22030 [MEDIUM] CWE-346 CVE-2026-22030: React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. and react- React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route action handlers in Framework Mode, or when using React Server Actions in the new unstable RSC mod
ghsanvdosv
CVE-2026-22029P4MEDIUMCVSS 6.1v>= 7.0.0, < 7.12.02026-01-10
CVE-2026-22029 [MEDIUM] CWE-79 CVE-2026-22029: React Router is a router for React. In @remix-run/router version prior to 1.23.2 and react-router 7. React Router is a router for React. In @remix-run/router version prior to 1.23.2 and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client
ghsanvdosv
CVE-2026-40181P4MEDIUMCVSS 6.1v>= 7.0.0, < 7.14.1v>= 6.7.0, < 6.30.42026-06-02
CVE-2026-40181 [MEDIUM] CWE-601 CVE-2026-40181: React Router is a router for React. In versions 7.0.0 through 7.14.0 and 6.7.0 through 6.30.3, certa React Router is a router for React. In versions 7.0.0 through 7.14.0 and 6.7.0 through 6.30.3, certain URLs passed to the redirect function can trigger an open redirect to an external domain due to path values starting with // being reinterpreted as protocol-relative URLs. The level of impact depends on the validation done by the application prior t
ghsanvd
CVE-2026-33244P4MEDIUMCVSS 5.4v>= 7.5.1, < 7.13.22026-06-02
CVE-2026-33244 [MEDIUM] CWE-79 CVE-2026-33244: React Router is a router for React. In versions 7.5.1 through 7.13.1, when using Framework Mode with React Router is a router for React. In versions 7.5.1 through 7.13.1, when using Framework Mode with pre-rendering enabled, improper neutralization of the HTTP `Location` header value can permit Cross-Site Scripting (XSS) in the statically generated HTML files if the redirect location comes from an untrusted source. This does not impact applications
ghsanvd
CVE-2026-33245P4MEDIUMCVSS 4.7v>= 7.7.0, < 7.13.22026-06-02
CVE-2026-33245 [MEDIUM] CWE-79 CVE-2026-33245: React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unst React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components (RSC) APIs, there is a potential client-side Cross-Site Scripting (XSS) vulnerability in the RSC redirect handling if redirects come from untrusted sources. This does not impact applications that are not using the unstable
ghsanvd
CVE-2026-53663P4LOWCVSS 3.1v>= 7.12.0, < 7.15.12026-06-22
CVE-2026-53663 [LOW] CWE-352 CVE-2026-53663: React Router is a router for React. From 7.12.0 until 7.15.1, certain CSRF checks in React Router v7 React Router is a router for React. From 7.12.0 until 7.15.1, certain CSRF checks in React Router v7 Framework Mode were insufficient and run on POST requests, but were bypassed on PUT/PATCH/DELETE requests. This is a low severity vulnerability because modern browser protections (CORS preflight, SameSite cookies) already block the cross-origin attack v
ghsanvd
Remix-Run React-Router vulnerabilities | cvebase