npm package
react-router
pkg:npm/react-router
Vulnerabilities (14)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-53663 | low | — | >= 7.12.0, < 7.15.1 | 7.15.1 | Jun 15, 2026 | Certain CSRF checks in React Router v7 [Framework Mode]() were insufficient and run on POST requests, but were bypassed on PUT/PATCH/DELETE requests. This is a low severity vulnerability because modern browser protections (CORS preflight, SameSite cookies) already block the cros | |
| CVE-2026-42342 | Hig | 7.5 | >= 7.0.0, < 7.15.0 | 7.15.0 | Jun 2, 2026 | React Router is a router for React. In versions 7.0.0 through 7.14.x of react-router and versions 2.10.0 through 2.17.4 of @remix-run/server-runtime, certain crafted requests can consume disproportionate server resources via unbounded path expansion in the __manifest endpoint, re | |
| CVE-2026-42211 | Hig | 8.1 | >= 7.0.0, < 7.14.2 | 7.14.2 | Jun 2, 2026 | React Router is a router for React. In versions 7.0.0 through 7.14.1, when using Framework Mode, a combination of steps could potentially allow unauthorized remote code execution (RCE) through external requests. This attack requires the application code to have an existing protot | |
| CVE-2026-40181 | Med | 6.1 | >= 7.0.0, < 7.14.1 | 7.14.1 | Jun 2, 2026 | React Router is a router for React. In versions 7.0.0 through 7.14.0 and 6.7.0 through 6.30.3, certain URLs passed to the redirect function can trigger an open redirect to an external domain due to path values starting with // being reinterpreted as protocol-relative URLs. The le | |
| CVE-2026-34077 | Hig | 7.5 | >= 7.0.0, < 7.14.0 | 7.14.0 | Jun 2, 2026 | React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components (RSC) APIs, there is a potential client-side Cross-Site Scripting (XSS) vulnerability in the RSC redirect handling if redirects come from untrusted sou | |
| CVE-2026-33245 | Hig | 8.0 | >= 7.7.0, < 7.13.2 | 7.13.2 | Jun 2, 2026 | React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components (RSC) APIs, there is a potential client-side Cross-Site Scripting (XSS) vulnerability in the RSC redirect handling if redirects come from untrusted sou | |
| CVE-2026-33244 | Med | 5.4 | >= 7.5.1, < 7.13.2 | 7.13.2 | Jun 2, 2026 | React Router is a router for React. In versions 7.5.1 through 7.13.1, when using Framework Mode with pre-rendering enabled, improper neutralization of the HTTP `Location` header value can permit Cross-Site Scripting (XSS) in the statically generated HTML files if the redirect loc | |
| CVE-2026-22029 | Hig | 8.0 | >= 7.0.0, < 7.12.0 | 7.12.0 | Jan 10, 2026 | React Router is a router for React. In @remix-run/router version prior to 1.23.2 and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can res | |
| CVE-2026-22030 | — | >= 7.0.0, < 7.12.0 | 7.12.0 | Jan 10, 2026 | React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route action handlers in Framewo | ||
| CVE-2026-21884 | — | >= 7.0.0, < 7.12.0 | 7.12.0 | Jan 10, 2026 | React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, a XSS vulnerability exists in in React Router's API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering wh | ||
| CVE-2025-59057 | — | >= 7.0.0, < 7.9.0 | 7.9.0 | Jan 10, 2026 | React Router is a router for React. In @remix-run/react versions 1.15.0 through 2.17.0. and react-router versions 7.0.0 through 7.8.2, a XSS vulnerability exists in in React Router's meta()/ APIs in Framework Mode when generating script:ld+json tags which could allow arbitr | ||
| CVE-2025-68470 | — | >= 6.0.0, < 6.30.2 | 6.30.2 | Jan 10, 2026 | React Router is a router for React. In versions 6.0.0 through 6.30.1 and 7.0.0 through 7.9.5, an attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate(), , or redirect(), the app performs a navigation/redirect to an exter | ||
| CVE-2025-43865 | Hig | 8.2 | >= 7.0.0-pre.0, < 7.5.2 | 7.5.2 | Apr 25, 2025 | React Router is a router for React. In versions on the 7.0 branch prior to version 7.5.2, it's possible to modify pre-rendered data by adding a header to the request. This allows to completely spoof its contents and modify all the values of the data object passed to the HTML. T | |
| CVE-2025-43864 | Hig | 7.5 | >= 7.2.0, < 7.5.2 | 7.5.2 | Apr 25, 2025 | React Router is a router for React. Starting in version 7.2.0 and prior to version 7.5.2, it is possible to force an application to switch to SPA mode by adding a header to the request. If the application uses SSR and is forced to switch to SPA, this causes an error that complete |
- affected >= 7.12.0, < 7.15.1fixed 7.15.1
Certain CSRF checks in React Router v7 [Framework Mode]() were insufficient and run on POST requests, but were bypassed on PUT/PATCH/DELETE requests. This is a low severity vulnerability because modern browser protections (CORS preflight, SameSite cookies) already block the cros
- affected >= 7.0.0, < 7.15.0fixed 7.15.0
React Router is a router for React. In versions 7.0.0 through 7.14.x of react-router and versions 2.10.0 through 2.17.4 of @remix-run/server-runtime, certain crafted requests can consume disproportionate server resources via unbounded path expansion in the __manifest endpoint, re
- affected >= 7.0.0, < 7.14.2fixed 7.14.2
React Router is a router for React. In versions 7.0.0 through 7.14.1, when using Framework Mode, a combination of steps could potentially allow unauthorized remote code execution (RCE) through external requests. This attack requires the application code to have an existing protot
- affected >= 7.0.0, < 7.14.1fixed 7.14.1
React Router is a router for React. In versions 7.0.0 through 7.14.0 and 6.7.0 through 6.30.3, certain URLs passed to the redirect function can trigger an open redirect to an external domain due to path values starting with // being reinterpreted as protocol-relative URLs. The le
- affected >= 7.0.0, < 7.14.0fixed 7.14.0
React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components (RSC) APIs, there is a potential client-side Cross-Site Scripting (XSS) vulnerability in the RSC redirect handling if redirects come from untrusted sou
- affected >= 7.7.0, < 7.13.2fixed 7.13.2
React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components (RSC) APIs, there is a potential client-side Cross-Site Scripting (XSS) vulnerability in the RSC redirect handling if redirects come from untrusted sou
- affected >= 7.5.1, < 7.13.2fixed 7.13.2
React Router is a router for React. In versions 7.5.1 through 7.13.1, when using Framework Mode with pre-rendering enabled, improper neutralization of the HTTP `Location` header value can permit Cross-Site Scripting (XSS) in the statically generated HTML files if the redirect loc
- affected >= 7.0.0, < 7.12.0fixed 7.12.0
React Router is a router for React. In @remix-run/router version prior to 1.23.2 and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can res
- CVE-2026-22030Jan 10, 2026affected >= 7.0.0, < 7.12.0fixed 7.12.0
React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route action handlers in Framewo
- CVE-2026-21884Jan 10, 2026affected >= 7.0.0, < 7.12.0fixed 7.12.0
React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, a XSS vulnerability exists in in React Router's API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering wh
- CVE-2025-59057Jan 10, 2026affected >= 7.0.0, < 7.9.0fixed 7.9.0
React Router is a router for React. In @remix-run/react versions 1.15.0 through 2.17.0. and react-router versions 7.0.0 through 7.8.2, a XSS vulnerability exists in in React Router's meta()/ APIs in Framework Mode when generating script:ld+json tags which could allow arbitr
- CVE-2025-68470Jan 10, 2026affected >= 6.0.0, < 6.30.2fixed 6.30.2
React Router is a router for React. In versions 6.0.0 through 6.30.1 and 7.0.0 through 7.9.5, an attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate(), , or redirect(), the app performs a navigation/redirect to an exter
- affected >= 7.0.0-pre.0, < 7.5.2fixed 7.5.2
React Router is a router for React. In versions on the 7.0 branch prior to version 7.5.2, it's possible to modify pre-rendered data by adding a header to the request. This allows to completely spoof its contents and modify all the values of the data object passed to the HTML. T
- affected >= 7.2.0, < 7.5.2fixed 7.5.2
React Router is a router for React. Starting in version 7.2.0 and prior to version 7.5.2, it is possible to force an application to switch to SPA mode by adding a header to the request. If the application uses SSR and is forced to switch to SPA, this causes an error that complete