CVE-2026-34077

Vulnerability

A client-side Cross-Site Scripting (XSS) vulnerability exists in React Router versions 7.7.0 through 7.13.1 when utilizing the unstable React Server Components (RSC) APIs. This vulnerability is specifically triggered if redirects originate from untrusted sources and does not affect applications not using these unstable RSC APIs [1].

Exploitation

An attacker can exploit this vulnerability by crafting a malicious redirect that, when processed by the React Router's RSC redirect handling, injects and executes arbitrary JavaScript in the context of the user's browser. This requires the affected application to be using the unstable RSC APIs and for the redirect to come from an untrusted source [1].

Impact

Successful exploitation of this vulnerability allows an attacker to execute arbitrary client-side scripts within the user's browser session. This can lead to various malicious actions such as session hijacking, data theft, or further phishing attacks, depending on the privileges of the compromised user context.

Mitigation

This vulnerability is patched in version 7.13.2. Users should upgrade to React Router version 7.14.0 or later. Applications not using the unstable RSC APIs are not impacted [1].