CVE-2026-33244

A flaw was found in react-router. When using Framework Mode with pre-rendering enabled, an attacker can exploit improper handling of the HTTP Location header value. This can lead to Cross-Site Scripting XSS, allowing malicious scripts to be injected into statically generated HTML files if the...

CVE-2026-40181

A flaw was found in React Router. This vulnerability allows a remote attacker to redirect users to an external, potentially malicious, website. This occurs when specially crafted URLs, containing paths starting with //, are passed to the redirect function, causing them to be misinterpreted as...

GHSA-84G9-W2XQ-VCV6 React Router: Potential CSRF via PUT/PATCH/DELETE document requests

Certain CSRF checks in React Router v7 Framework Mode were insufficient and run on POST requests, but were bypassed on PUT/PATCH/DELETE requests. This is a low severity vulnerability because modern browser protections CORS preflight, SameSite cookies already block the cross-origin attack vectors...

Cross-site Request Forgery (CSRF)

Overview Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF due to insufficient CSRF checks for PUT, PATCH, and DELETE document requests. An attacker can cause unauthorized state changes by tricking a user into submitting crafted requests from another origin. Note...

React Router: Potential CSRF via PUT/PATCH/DELETE document requests

Certain CSRF checks in React Router v7 Framework Mode were insufficient and run on POST requests, but were bypassed on PUT/PATCH/DELETE requests. This is a low severity vulnerability because modern browser protections CORS preflight, SameSite cookies already block the cross-origin attack vectors...

GHSA-RXV8-25V2-QMQ8 React Router vulnerable to Denial of Service via reflected user input in single-fetch

A DoS vulnerability exists in the React Router v7 Framework Mode, as well as Remix v2.9.0+ with Single Fetch enabled. In some scenarios the underlying serialization algorithm can become a bottleneck when encoding specific types of data into server responses. Please upgrade to React Router v7.14.0...

GHSA-8X6R-G9MW-2R78 React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint

There exists a potential DOS attack vector in React Router Framework Mode applications as well as Remix v2.10.0 - 2.17.4. Certain requests can be crafted to consume disproportionate resources on the server, resulting in response time degredation and/or service unavailability for end users. !NOTE...

React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint

There exists a potential DOS attack vector in React Router Framework Mode applications as well as Remix v2.10.0 - 2.17.4. Certain requests can be crafted to consume disproportionate resources on the server, resulting in response time degredation and/or service unavailability for end users. !NOTE...

React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE

When using React Router v7 in Framework Mode, there exists a combination of steps that could potentially allow unauthorized RCE through external requests. This first requires the application code to have an existing prototype pollution vulnerability. This can be leveraged into a 2-step attack in...

EUVD-2026-33996

React Router's same-origin redirect with path starting // causes open redirect via protocol-relative URL reinterpretation...

GHSA-2J2X-HQR9-3H42 React Router's same-origin redirect with path starting // causes open redirect via protocol-relative URL reinterpretation

Certain URLs passed to the redirect function can trigger an open redirect to an external domain depending on the level of validation done by the application prior to returning the redirect. !NOTE This does not impact your React Router application if you are using Declarative Mode...

SUSE CVE-2026-33244

React Router is a router for React. In versions 7.5.1 through 7.13.1, when using Framework Mode with pre-rendering enabled, improper neutralization of the HTTP Location header value can permit Cross-Site Scripting XSS in the statically generated HTML files if the redirect location comes from an...

PT-2026-46089

There exists a potential DOS attack vector in React Router Framework Mode applications as well as Remix v2.10.0 - 2.17.4. Certain requests can be crafted to consume disproportionate resources on the server, resulting in response time degredation and/or service unavailability for end users. !NOTE...

PT-2026-46085

When using React Router v7 in Framework Mode, there exists a combination of steps that could potentially allow unauthorized RCE through external requests. This first requires the application code to have an existing prototype pollution vulnerability. This can be leveraged into a 2-step attack in...

PT-2026-46083

Certain URLs passed to the redirect function can trigger an open redirect to an external domain depending on the level of validation done by the application prior to returning the redirect. !NOTE This does not impact your React Router application if you are using Declarative Mode...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the serialization algorithm in the PrefetchPageLinks function. An attacker can cause a denial of service by supplying specially crafted user input that is reflected and processed...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the serialization algorithm in the PrefetchPageLinks function. An attacker can cause a denial of service by supplying specially crafted user input that is reflected and processed...

Open Redirect

Overview Affected versions of this package are vulnerable to Open Redirect when certain URLs with path values starting with // are processed. An attacker can redirect users to external domains by supplying specially crafted protocol-relative URLs. Note: Users that utilise Declarative Mode are not...

Open Redirect

Overview Affected versions of this package are vulnerable to Open Redirect when certain URLs with path values starting with // are processed. An attacker can redirect users to external domains by supplying specially crafted protocol-relative URLs. Note: Users that utilise Declarative Mode are not...

Allocation of Resources Without Limits or Throttling

Overview @remix-run/server-runtime is a Server runtime for Remix Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the manifest endpoint. An attacker can exhaust server resources and cause service disruption by sending specially craft...