React Router has XSS Vulnerability
Description
React Router is a router for React. In @remix-run/react versions 1.15.0 through 2.17.0. and react-router versions 7.0.0 through 7.8.2, a XSS vulnerability exists in in React Router's meta()/<Meta> APIs in Framework Mode when generating script:ld+json tags which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the tag. There is no impact if the application is being used in Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>). This issue has been patched in @remix-run/react version 2.17.1 and react-router version 7.9.0.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
react-routernpm | >= 7.0.0, < 7.9.0 | 7.9.0 |
@remix-run/reactnpm | >= 1.15.0, < 2.17.1 | 2.17.1 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-3cgp-3xvw-98x8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-59057ghsaADVISORY
- github.com/remix-run/react-router/security/advisories/GHSA-3cgp-3xvw-98x8ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.