VYPR
← All advisories
High severity7.5NVD Advisory· Published Jun 2, 2026

CVE-2026-42342

CVE-2026-42342

Description

React Router versions 7.0.0-7.14.x and @remix-run/server-runtime 2.10.0-2.17.4 are vulnerable to denial-of-service via unbounded path expansion.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

React Router versions 7.0.0-7.14.x and @remix-run/server-runtime 2.10.0-2.17.4 are vulnerable to denial-of-service via unbounded path expansion.

Vulnerability

Versions 7.0.0 through 7.14.x of react-router and versions 2.10.0 through 2.17.4 of @remix-run/server-runtime are affected by an unbounded path expansion vulnerability in the __manifest endpoint. This issue specifically impacts applications using React Router Framework Mode and Remix applications, but not those using Declarative Mode (`) or Data Mode (createBrowserRouter/`) [1].

Exploitation

An attacker can exploit this vulnerability by crafting specific requests to the __manifest endpoint. These requests can trigger disproportionate consumption of server resources, leading to degraded response times or service unavailability for legitimate users [1].

Impact

Successful exploitation of this vulnerability can result in a denial-of-service (DoS) condition. This manifests as response time degradation and/or complete service unavailability for end users, impacting the availability of the affected application [1].

Mitigation

This vulnerability is patched in react-router version 7.15.0 and @remix-run/server-runtime version 2.17.5 [1]. Users are advised to update to these fixed versions to mitigate the risk.

References
  1. DoS via unbounded path expansion in __manifest endpoint

AI Insight generated on Jun 2, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

3

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

0

No linked articles in our index yet.