Skip to main content

React Router CVE-2026-33245

| EUVD-2026-33988 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-02 GitHub_M GHSA-8646-j5j9-6r62
XSS React Router
8.0
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.0 HIGH
AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
SUSE
4.2 MEDIUM
AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Patch available
Jun 02, 2026 - 21:02 EUVD
Analysis Generated
Jun 02, 2026 - 20:23 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 11 npm packages depend on react-router (8 direct, 3 indirect)

Ecosystem-wide dependent count for version 7.7.0.

DescriptionGitHub Advisory

React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components (RSC) APIs, there is a potential client-side Cross-Site Scripting (XSS) vulnerability in the RSC redirect handling if redirects come from untrusted sources. This does not impact applications that are not using the unstable RSC APIs in React Router. This is patched in version 7.13.2.

AnalysisAI

Client-side cross-site scripting in React Router 7.7.0 through 7.13.1 allows remote attackers to execute arbitrary script in a victim's browser when the application uses the unstable React Server Components (RSC) APIs and processes redirects originating from untrusted sources. The flaw is patched in 7.13.2; no public exploit identified at time of analysis and the vulnerability does not affect deployments that do not opt into the RSC APIs.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify app using React Router RSC APIs
Delivery
Plant attacker-controlled redirect target (e.g., javascript: URI) in upstream source
Exploit
Lure victim to trigger redirect flow
Execution
RSC redirect handler processes untrusted target client-side
Persist
Script executes in application origin
Impact
Steal session tokens or act as user
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires all of the following to be true: the target application must be running react-router 7.7.0 through 7.13.1; it must have opted into the unstable React Server Components (RSC) APIs (an explicit, non-default choice flagged as unstable by the maintainers); the RSC redirect handler must receive a redirect target sourced from data the attacker can influence (e.g., a user-supplied query parameter, a third-party identity provider, or external content); and a victim must interact with the malicious flow (UI:R in the CVSS vector - typically clicking a crafted link or completing a redirect-driven action). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 8.0 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N) reflects an unauthenticated network attack with high complexity and required user interaction that crosses a security scope boundary, consistent with reflected/DOM XSS against an embedding origin. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who controls or can influence an upstream redirect source (for example, a third-party OAuth callback, a CMS-stored next-URL parameter, or an open-redirect on a trusted origin) returns a redirect whose target is a javascript: URI. A victim using a React Router 7.7.0-7.13.1 app with the unstable RSC APIs clicks a crafted link or workflow, the RSC redirect handler processes the untrusted target on the client, and the script executes in the application's origin, enabling session theft or actions on behalf of the user. …
Remediation Vendor-released patch: upgrade react-router to 7.13.2 or later, which corrects the RSC redirect handling per advisory GHSA-8646-j5j9-6r62 (https://github.com/remix-run/react-router/security/advisories/GHSA-8646-j5j9-6r62). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Audit all React Router deployments to identify applications using unstable React Server Components (RSC) APIs-non-RSC deployments are not affected. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: Medium

Share

CVE-2026-33245 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy