Severity by source
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
2Blast Radius
ecosystem impact- 14 npm packages depend on react-router (7 direct, 8 indirect)
Ecosystem-wide dependent count for version 7.5.1.
DescriptionGitHub Advisory
React Router is a router for React. In versions 7.5.1 through 7.13.1, when using Framework Mode with pre-rendering enabled, improper neutralization of the HTTP Location header value can permit Cross-Site Scripting (XSS) in the statically generated HTML files if the redirect location comes from an untrusted source. This does not impact applications using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>). This is patched in version 7.13.2.
AnalysisAI
Cross-site scripting in React Router's Framework Mode (versions 7.5.1-7.13.1) allows an authenticated attacker with influence over redirect destinations to inject malicious content into statically pre-rendered HTML files via an unsanitized HTTP Location header. Exploitation requires both low-privilege authentication (confirmed by CVSS PR:L) and victim user interaction (UI:R), limiting mass exploitation. No public exploit has been identified at time of analysis, and CISA KEV status is not confirmed. A vendor-released patch exists in version 7.13.2.
Technical ContextAI
React Router (CPE: cpe:2.3:a:remix-run:react-router:*:*:*:*:*:*:*:*) is a widely-adopted routing library for React applications maintained by the remix-run organization. The vulnerability is rooted in CWE-79 (Improper Neutralization of Input During Web Page Generation - XSS): during static pre-rendering in Framework Mode, the library processes server-side redirect responses and writes the HTTP Location header value directly into generated static HTML files without adequate sanitization or encoding. If the redirect destination is supplied by or influenced by an untrusted source, attacker-controlled content enters the HTML output unescaped. This code path is exclusive to Framework Mode with pre-rendering enabled; the Declarative Mode (BrowserRouter) and Data Mode (createBrowserRouter/RouterProvider) do not perform static HTML generation and are explicitly not affected. The CVSS S:C (Changed Scope) component reflects that the injected script executes in the victim's browser context, outside the application's own origin boundary.
RemediationAI
Vendor-released patch: React Router 7.13.2. Teams should upgrade immediately by updating their package dependency - e.g., running npm install react-router@7.13.2 or the equivalent for their package manager. The authoritative advisory is at https://github.com/remix-run/react-router/security/advisories/GHSA-f22v-gfqf-p8f3. If an immediate upgrade is not feasible, a targeted workaround is to disable pre-rendering in Framework Mode, which eliminates the vulnerable static HTML generation path at the cost of losing static-site generation performance benefits - pages would then be rendered dynamically at request time. A second compensating control is to validate and sanitize all redirect Location header values at the application layer before they are returned in server responses, ensuring only allowlisted URLs or properly encoded destinations are used. Neither workaround is a substitute for patching.
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| SUSE Linux Enterprise Micro 5.3 | Fixed |
| SUSE Linux Enterprise Micro 5.3 | Fixed |
| SUSE Linux Enterprise Micro 5.4 | Fixed |
| SUSE Linux Enterprise Micro 5.4 | Fixed |
| SUSE Linux Enterprise Micro 5.5 | Fixed |
| SUSE Linux Enterprise Micro 5.5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for SAP Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 16.0 | Fixed |
| SUSE Linux Enterprise Server 16.0 | Fixed |
| SUSE Linux Enterprise Server 16.0 | Fixed |
| SUSE Linux Enterprise Server 16.0 | Fixed |
| SUSE Linux Enterprise Server 16.1 | Fixed |
| SUSE Linux Enterprise Server 16.1 | Fixed |
| SUSE Linux Enterprise Server 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
| SUSE Linux Micro 6.0 | Fixed |
| SUSE Linux Micro 6.0 | Fixed |
| SUSE Linux Micro 6.1 | Fixed |
| SUSE Linux Micro 6.1 | Fixed |
| SUSE Linux Micro 6.2 | Fixed |
| SUSE Linux Micro 6.2 | Fixed |
| SUSE Manager Client Tools 15 | Fixed |
| SUSE Manager Client Tools for SLE 15 | Fixed |
| SUSE Multi-Linux Manager Client Tools for SLE 15 | Fixed |
| openSUSE Leap 16.0 | Fixed |
| openSUSE Leap 16.0 | Fixed |
| openSUSE Leap 16.0 | Fixed |
| openSUSE Leap 16.0 | Fixed |
| openSUSE Leap 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Fixed |
| SUSE Manager Proxy LTS 4.3 | Fixed |
| SUSE Manager Proxy Module 4.3 | Fixed |
| SUSE Enterprise Storage 6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| SUSE Linux Enterprise Module for SAP Applications 15 SP3 | Fixed |
| SUSE Linux Enterprise Module for SAP Applications 15 SP4 | Fixed |
| SUSE Linux Enterprise Module for SAP Applications 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for SAP Applications 15 SP6 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP3 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Fixed |
| SUSE Manager Proxy Module 4.1 | Fixed |
| SUSE Manager Proxy Module 4.2 | Fixed |
| openSUSE Leap 15.3 | Fixed |
| openSUSE Leap 15.4 | Fixed |
| openSUSE Leap 15.5 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| openSUSE Leap Micro 5.5 | Fixed |
| SUSE Multi Linux Manager Tools SLE-15 | Fixed |
| ses/7.1/ceph/prometheus-server ses/7/ceph/prometheus-server suse/multi-linux-manager/5.2/x86_64/monitoring-prometheus | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33986
GHSA-f22v-gfqf-p8f3