188 matches found
Cross-site Request Forgery (CSRF)
Overview @remix-run/server-runtime is a Server runtime for Remix Affected versions of this package are vulnerable to Cross-site Request Forgery CSRF due to insufficient CSRF checks for PUT, PATCH, and DELETE document requests. An attacker can cause unauthorized state changes by tricking a user in...
CVE-2026-44483
RVF formerly Remix Validated Form provides easy form validation and state management for React. From 6.0.0 to before 6.0.4 and 7.0.2, setPath in @rvf/set-get used by @rvf/core to flatten incoming form data into a nested object does not block the keys proto, constructor, or prototype when walking ...
GHSA-RXV8-25V2-QMQ8 React Router vulnerable to Denial of Service via reflected user input in single-fetch
A DoS vulnerability exists in the React Router v7 Framework Mode, as well as Remix v2.9.0+ with Single Fetch enabled. In some scenarios the underlying serialization algorithm can become a bottleneck when encoding specific types of data into server responses. Please upgrade to React Router v7.14.0...
React Router vulnerable to Denial of Service via reflected user input in single-fetch
A DoS vulnerability exists in the React Router v7 Framework Mode, as well as Remix v2.9.0+ with Single Fetch enabled. In some scenarios the underlying serialization algorithm can become a bottleneck when encoding specific types of data into server responses. Please upgrade to React Router v7.14.0...
SUSE CVE-2026-42342
React Router is a router for React. In versions 7.0.0 through 7.14.x of react-router and versions 2.10.0 through 2.17.4 of @remix-run/server-runtime, certain crafted requests can consume disproportionate server resources via unbounded path expansion in the manifest endpoint, resulting in response...
GHSA-8X6R-G9MW-2R78 React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint
There exists a potential DOS attack vector in React Router Framework Mode applications as well as Remix v2.10.0 - 2.17.4. Certain requests can be crafted to consume disproportionate resources on the server, resulting in response time degredation and/or service unavailability for end users. !NOTE...
EUVD-2026-34000
React Router vulnerable to DoS via unbounded path expansion in manifest endpoint...
React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint
There exists a potential DOS attack vector in React Router Framework Mode applications as well as Remix v2.10.0 - 2.17.4. Certain requests can be crafted to consume disproportionate resources on the server, resulting in response time degredation and/or service unavailability for end users. !NOTE...
PT-2026-46089
There exists a potential DOS attack vector in React Router Framework Mode applications as well as Remix v2.10.0 - 2.17.4. Certain requests can be crafted to consume disproportionate resources on the server, resulting in response time degredation and/or service unavailability for end users. !NOTE...
Allocation of Resources Without Limits or Throttling
Overview @remix-run/server-runtime is a Server runtime for Remix Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the manifest endpoint. An attacker can exhaust server resources and cause service disruption by sending specially craft...
CVE-2026-42342
React Router is a router for React. In versions 7.0.0 through 7.14.x of react-router and versions 2.10.0 through 2.17.4 of @remix-run/server-runtime, certain crafted requests can consume disproportionate server resources via unbounded path expansion in the manifest endpoint, resulting in response...
CVE-2026-42342
CVE-2026-42342 affects React Router and Remix Server Runtime: versions 7.0.0β7.14.x of react-router and 2.10.0β2.17.4 of @remix-run/server-runtime are vulnerable to DoS via unbounded path expansion on the __manifest endpoint, causing high resource usage and potential unavailability for Framework ...
CVE-2026-42342 React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint
React Router is a router for React. In versions 7.0.0 through 7.14.x of react-router and versions 2.10.0 through 2.17.4 of @remix-run/server-runtime, certain crafted requests can consume disproportionate server resources via unbounded path expansion in the manifest endpoint, resulting in response...
CVE-2026-42342 React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint
React Router is a router for React. In versions 7.0.0 through 7.14.x of react-router and versions 2.10.0 through 2.17.4 of @remix-run/server-runtime, certain crafted requests can consume disproportionate server resources via unbounded path expansion in the manifest endpoint, resulting in response...
CVE-2026-42342
React Router is a router for React. In versions 7.0.0 through 7.14.x of react-router and versions 2.10.0 through 2.17.4 of @remix-run/server-runtime, certain crafted requests can consume disproportionate server resources via unbounded path expansion in the manifest endpoint, resulting in response...
PT-2026-45835
Name of the Vulnerable Software and Affected Versions react-router versions 7.0.0 through 7.14.x @remix-run/server-runtime versions 2.10.0 through 2.17.4 Description Certain crafted requests can cause unbounded path expansion in the " manifest" endpoint, leading to disproportionate server resourc...
CVE-2026-44483
RVF formerly Remix Validated Form provides easy form validation and state management for React. From 6.0.0 to before 6.0.4 and 7.0.2, setPath in @rvf/set-get used by @rvf/core to flatten incoming form data into a nested object does not block the keys proto, constructor, or prototype when walking ...
EUVD-2026-32564
RVF formerly Remix Validated Form provides easy form validation and state management for React. From 6.0.0 to before 6.0.4 and 7.0.2, setPath in @rvf/set-get used by @rvf/core to flatten incoming form data into a nested object does not block the keys proto, constructor, or prototype when walking ...
CVE-2026-44483 RVF: Prototype pollution in @rvf/set-get reachable via @rvf/core preprocessFormData (HTTP form data)
RVF formerly Remix Validated Form provides easy form validation and state management for React. From 6.0.0 to before 6.0.4 and 7.0.2, setPath in @rvf/set-get used by @rvf/core to flatten incoming form data into a nested object does not block the keys proto, constructor, or prototype when walking ...
CVE-2026-44483
RVF prototype pollution risk in form handling : The issue is in the set-get component used by @rvf/coreβs preprocessFormData. Vulnerable in @rvf/set-get versions < 6.0.4 (6.x) and