EUVD-2026-34000
GHSA-8x6r-g9mw-2r78
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2Blast Radius
ecosystem impact- 85 npm packages depend on @remix-run/server-runtime (78 direct, 7 indirect)
- 6 npm packages depend on react-router (3 direct, 3 indirect)
Ecosystem-wide dependent count for version 2.10.0 and other introduced versions.
DescriptionGitHub Advisory
React Router is a router for React. In versions 7.0.0 through 7.14.x of react-router and versions 2.10.0 through 2.17.4 of @remix-run/server-runtime, certain crafted requests can consume disproportionate server resources via unbounded path expansion in the __manifest endpoint, resulting in response time degradation and/or service unavailability for end users. This affects React Router Framework Mode applications as well as Remix applications. This does not impact applications using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>). This is patched in react-router version 7.15.0 and @remix-run/server-runtime version 2.17.5.
AnalysisAI
Denial of service in React Router 7.0.0-7.14.x and @remix-run/server-runtime 2.10.0-2.17.4 allows remote unauthenticated attackers to exhaust server resources by sending crafted requests to the __manifest endpoint, which triggers unbounded path expansion. Only applications running in React Router Framework Mode or Remix are affected; Declarative Mode (<BrowserRouter>) and Data Mode (createBrowserRouter) deployments are not. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The target must be deployed in React Router Framework Mode or as a Remix application using @remix-run/server-runtime - Declarative Mode (<BrowserRouter>) and Data Mode (createBrowserRouter/<RouterProvider>) deployments are explicitly out of scope. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) describes a high-impact availability-only flaw reachable over the network with no authentication, no user interaction, and low complexity, yielding a base score of 7.5. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker on the public internet sends a small volume of crafted HTTP GET requests to the /__manifest endpoint of a Remix or React Router Framework Mode application, with path parameters designed to trigger the unbounded expansion. Each request consumes disproportionate CPU and memory on the server, and a modest number of concurrent requests is sufficient to make the application unresponsive for legitimate users. … |
| Remediation | Vendor-released patch: upgrade react-router to 7.15.0 or later, and upgrade @remix-run/server-runtime to 2.17.5 or later, per the GitHub Security Advisory at https://github.com/remix-run/react-router/security/advisories/GHSA-8x6r-g9mw-2r78. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all applications using React Router 7.0.0-7.14.x and @remix-run/server-runtime 2.10.0-2.17.4; identify which are running in Framework Mode or Remix (Declarative and Data Modes are not affected). …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Vendor StatusVendor
SUSE
Severity: High| Product | Status |
|---|---|
| SUSE Linux Enterprise Module for Package Hub 15 SP7 | Fixed |
| SUSE Linux Enterprise Module for SAP Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise Server 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Fixed |
| SUSE Manager Client Tools 15 | Fixed |
| SUSE Manager Client Tools for SLE 15 | Fixed |
| SUSE Multi-Linux Manager Client Tools for SLE 15 | Fixed |
| openSUSE Leap 16.0 | Fixed |
| openSUSE Leap 16.0 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Fixed |
| SUSE Manager Proxy LTS 4.3 | Fixed |
| SUSE Manager Proxy Module 4.3 | Fixed |
| SUSE Enterprise Storage 6 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for Package Hub 15 SP6 | Fixed |
| SUSE Linux Enterprise Module for SAP Applications 15 SP3 | Fixed |
| SUSE Linux Enterprise Module for SAP Applications 15 SP4 | Fixed |
| SUSE Linux Enterprise Module for SAP Applications 15 SP5 | Fixed |
| SUSE Linux Enterprise Module for SAP Applications 15 SP6 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP3 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Fixed |
| SUSE Manager Proxy Module 4.1 | Fixed |
| SUSE Manager Proxy Module 4.2 | Fixed |
| openSUSE Leap 15.3 | Fixed |
| openSUSE Leap 15.4 | Fixed |
| openSUSE Leap 15.5 | Fixed |
| openSUSE Leap 15.6 | Fixed |
| SUSE Multi Linux Manager Tools SLE-15 | Fixed |
| ses/7.1/ceph/prometheus-server ses/7/ceph/prometheus-server suse/multi-linux-manager/5.2/x86_64/monitoring-prometheus | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today