CVE-2026-42342
Description
React Router is a router for React. In versions 7.0.0 through 7.14.x of react-router and versions 2.10.0 through 2.17.4 of @remix-run/server-runtime, certain crafted requests can consume disproportionate server resources via unbounded path expansion in the __manifest endpoint, resulting in response time degradation and/or service unavailability for end users. This affects React Router Framework Mode applications as well as Remix applications. This does not impact applications using Declarative Mode (`) or Data Mode (createBrowserRouter/`). This is patched in react-router version 7.15.0 and @remix-run/server-runtime version 2.17.5.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
react-routernpm | >= 7.0.0, < 7.15.0 | 7.15.0 |
@remix-run/server-runtimenpm | >= 2.10.0, < 2.17.5 | 2.17.5 |
Affected products
9- cpe:2.3:a:shopify:remix-run\/server-runtime:*:*:*:*:*:node.js:*:*Range: >=2.10.0,<2.17.5
- Range: 7.0.0 - 7.14.x
- Range: 2.10.0 - 2.17.4
- osv-coords4 versionspkg:apk/chainguard/vitess-24pkg:apk/wolfi/vitess-24pkg:npm/%40remix-run/server-runtimepkg:npm/react-router
< 24.0.1-r2+ 3 more
- (no CPE)range: < 24.0.1-r2
- (no CPE)range: < 24.0.1-r2
- (no CPE)range: >= 2.10.0, < 2.17.5
- (no CPE)range: >= 7.0.0, < 7.15.0
Patches
Vulnerability mechanics
References
3- github.com/advisories/GHSA-8x6r-g9mw-2r78ghsaADVISORY
- github.com/remix-run/react-router/security/advisories/GHSA-8x6r-g9mw-2r78nvdVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-42342ghsaADVISORY
News mentions
0No linked articles in our index yet.