Skip to main content

React Router CVE-2026-34077

| EUVD-2026-33994 HIGH
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-06-02 GitHub_M GHSA-rxv8-25v2-qmq8
XSS Denial Of Service React Router Turbo Stream Red Hat
7.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
6.5 MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Patch available
Jun 02, 2026 - 21:02 EUVD
Analysis Generated
Jun 02, 2026 - 20:22 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 6 npm packages depend on react-router (3 direct, 3 indirect)

Ecosystem-wide dependent count for version 7.0.0.

DescriptionGitHub Advisory

React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components (RSC) APIs, there is a potential client-side Cross-Site Scripting (XSS) vulnerability in the RSC redirect handling if redirects come from untrusted sources. This does not impact applications that are not using the unstable RSC APIs in React Router. This is patched in version 7.13.2.

AnalysisAI

Client-side Cross-Site Scripting in React Router 7.7.0 through 7.13.1 affects applications using the unstable React Server Components (RSC) APIs, where redirect handling fails to sanitize destinations originating from untrusted sources. An attacker who can influence redirect targets consumed by RSC handlers may inject script payloads that execute in the victim's browser, with no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify app using React Router RSC
Delivery
Craft malicious redirect URL parameter
Exploit
Submit to vulnerable endpoint
Execution
RSC handler serializes untrusted target
Persist
Victim browser processes redirect
Impact
Injected script executes in victim context
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The application must be using React Router's unstable React Server Components (RSC) APIs - applications on React Router 7.7.0-7.13.1 that do not opt into RSC are not exploitable. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 7.5 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H scores only Availability impact, which is inconsistent with an XSS vulnerability - XSS typically affects Confidentiality and Integrity rather than Availability, and the GitHub tags list both 'XSS' and 'Denial Of Service', so the CVSS appears to have been scored against the DoS facet while the description emphasizes XSS; defenders should treat the real-world impact as primarily client-side script execution with possible DoS as a secondary effect. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker submits a crafted URL or form value to an application endpoint that feeds user-supplied data into an RSC redirect (for example, a post-login 'returnTo' parameter). The vulnerable React Router RSC handler serializes the attacker-controlled target back to the client and triggers navigation or rendering that executes the injected script in the victim's browser session, enabling session theft or actions in the victim's authenticated context. …
Remediation Vendor-released patch: React Router 7.13.2 - upgrade react-router (and any pinned turbo-stream dependency resolved through it) to 7.13.2 or later as the primary fix, per https://github.com/remix-run/react-router/security/advisories/GHSA-rxv8-25v2-qmq8. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

24 hours: Inventory all applications using React Router 7.7.0-7.13.1, with priority on those implementing React Server Components APIs. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Vendor StatusVendor

SUSE

Severity: High

Share

CVE-2026-34077 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy