npm package
react-router
pkg:npm/react-router
Vulnerabilities (7)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-22030 | — | >= 7.0.0, < 7.12.0 | 7.12.0 | Jan 10, 2026 | React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route action handlers in Framewo | ||
| CVE-2026-22029 | — | >= 7.0.0, < 7.12.0 | 7.12.0 | Jan 10, 2026 | React Router is a router for React. In @remix-run/router version prior to 1.23.2. and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can re | ||
| CVE-2026-21884 | — | >= 7.0.0, < 7.12.0 | 7.12.0 | Jan 10, 2026 | React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, a XSS vulnerability exists in in React Router's API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering wh | ||
| CVE-2025-59057 | — | >= 7.0.0, < 7.9.0 | 7.9.0 | Jan 10, 2026 | React Router is a router for React. In @remix-run/react versions 1.15.0 through 2.17.0. and react-router versions 7.0.0 through 7.8.2, a XSS vulnerability exists in in React Router's meta()/ APIs in Framework Mode when generating script:ld+json tags which could allow arbitr | ||
| CVE-2025-68470 | — | >= 6.0.0, < 6.30.2 | 6.30.2 | Jan 10, 2026 | React Router is a router for React. In versions 6.0.0 through 6.30.1 and 7.0.0 through 7.9.5, an attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate(), , or redirect(), the app performs a navigation/redirect to an exter | ||
| CVE-2025-43865 | Hig | 8.2 | >= 7.0.0-pre.0, < 7.5.2 | 7.5.2 | Apr 25, 2025 | React Router is a router for React. In versions on the 7.0 branch prior to version 7.5.2, it's possible to modify pre-rendered data by adding a header to the request. This allows to completely spoof its contents and modify all the values of the data object passed to the HTML. T | |
| CVE-2025-43864 | Hig | 7.5 | >= 7.2.0, < 7.5.2 | 7.5.2 | Apr 25, 2025 | React Router is a router for React. Starting in version 7.2.0 and prior to version 7.5.2, it is possible to force an application to switch to SPA mode by adding a header to the request. If the application uses SSR and is forced to switch to SPA, this causes an error that complete |
- CVE-2026-22030Jan 10, 2026affected >= 7.0.0, < 7.12.0fixed 7.12.0
React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route action handlers in Framewo
- CVE-2026-22029Jan 10, 2026affected >= 7.0.0, < 7.12.0fixed 7.12.0
React Router is a router for React. In @remix-run/router version prior to 1.23.2. and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can re
- CVE-2026-21884Jan 10, 2026affected >= 7.0.0, < 7.12.0fixed 7.12.0
React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, a XSS vulnerability exists in in React Router's API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering wh
- CVE-2025-59057Jan 10, 2026affected >= 7.0.0, < 7.9.0fixed 7.9.0
React Router is a router for React. In @remix-run/react versions 1.15.0 through 2.17.0. and react-router versions 7.0.0 through 7.8.2, a XSS vulnerability exists in in React Router's meta()/ APIs in Framework Mode when generating script:ld+json tags which could allow arbitr
- CVE-2025-68470Jan 10, 2026affected >= 6.0.0, < 6.30.2fixed 6.30.2
React Router is a router for React. In versions 6.0.0 through 6.30.1 and 7.0.0 through 7.9.5, an attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate(), , or redirect(), the app performs a navigation/redirect to an exter
- affected >= 7.0.0-pre.0, < 7.5.2fixed 7.5.2
React Router is a router for React. In versions on the 7.0 branch prior to version 7.5.2, it's possible to modify pre-rendered data by adding a header to the request. This allows to completely spoof its contents and modify all the values of the data object passed to the HTML. T
- affected >= 7.2.0, < 7.5.2fixed 7.5.2
React Router is a router for React. Starting in version 7.2.0 and prior to version 7.5.2, it is possible to force an application to switch to SPA mode by adding a header to the request. If the application uses SSR and is forced to switch to SPA, this causes an error that complete