CVE-2026-33244

Vulnerability

React Router versions 7.5.1 through 7.13.1 are vulnerable to Cross-Site Scripting (XSS) when utilizing Framework Mode with pre-rendering enabled. This vulnerability occurs due to improper neutralization of the HTTP Location header value, allowing XSS within statically generated HTML files if the redirect location originates from an untrusted source. Applications using Declarative Mode (`) or Data Mode (createBrowserRouter/`) are not affected [1].

Exploitation

An attacker can exploit this vulnerability by providing an untrusted redirect location that contains malicious script. When the application uses Framework Mode with pre-rendering, this untrusted input is not properly neutralized and can be embedded into the statically generated HTML files, leading to XSS execution when a user interacts with the compromised page.

Impact

Successful exploitation of this vulnerability allows an attacker to inject and execute arbitrary JavaScript code within the context of a user's browser. This can lead to various malicious actions, such as session hijacking, data theft, or redirection to phishing sites, depending on the privileges of the user viewing the compromised page.

Mitigation

This vulnerability is patched in React Router version 7.13.2. Users are advised to upgrade to version 7.13.2 or later to remediate the issue. No workarounds are specified for affected versions [1].