CVE-2026-33245

Vulnerability

React Router versions 7.7.0 through 7.13.1 contain a client-side Cross-Site Scripting (XSS) vulnerability when utilizing the unstable React Server Components (RSC) APIs. This vulnerability specifically affects the RSC redirect handling mechanism if the redirects originate from untrusted sources. Applications not using the unstable RSC APIs are not impacted [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious redirect URL containing JavaScript code, which, if presented to a user interacting with an affected application, can be executed in the user's browser. This requires the application to be using the unstable RSC APIs and to be susceptible to receiving untrusted redirect sources [1].

Impact

Successful exploitation of this vulnerability can lead to client-side Cross-Site Scripting (XSS), allowing an attacker to execute arbitrary JavaScript code within the context of the user's browser session. This can result in the theft of sensitive information, session hijacking, or manipulation of the application's user interface [1].

Mitigation

This vulnerability is fixed in React Router version 7.13.2. Users are advised to upgrade to this version or later. No workarounds are available for versions prior to the fix, other than avoiding the use of unstable RSC APIs with untrusted redirect sources [1].