High severityOSV Advisory· Published Jan 10, 2026· Updated Jan 12, 2026
React Router has XSS Vulnerability
CVE-2025-59057
Description
React Router is a router for React. In @remix-run/react versions 1.15.0 through 2.17.0. and react-router versions 7.0.0 through 7.8.2, a XSS vulnerability exists in in React Router's meta()/ APIs in Framework Mode when generating script:ld+json tags which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the tag. There is no impact if the application is being used in Declarative Mode () or Data Mode (createBrowserRouter/). This issue has been patched in @remix-run/react version 2.17.1 and react-router version 7.9.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
react-routernpm | >= 7.0.0, < 7.9.0 | 7.9.0 |
@remix-run/reactnpm | >= 1.15.0, < 2.17.1 | 2.17.1 |
Affected products
3- ghsa-coords2 versions
>= 1.15.0, < 2.17.1+ 1 more
- (no CPE)range: >= 1.15.0, < 2.17.1
- (no CPE)range: >= 7.0.0, < 7.9.0
Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-3cgp-3xvw-98x8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-59057ghsaADVISORY
- github.com/remix-run/react-router/security/advisories/GHSA-3cgp-3xvw-98x8ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.