react-router
npm14 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting react-routerpage 1 of 1
- CVE-2025-43864HIGHCVSS 7.5EG 7.5✓ Fixed in 7.5.22025-04-25
React Router is a router for React. Starting in version 7.2.0 and prior to version 7.5.2, it is possible to force an application to switch to SPA mode by adding a header to the request. If the application uses SSR and is forced to switch t…
- CVE-2025-43865HIGHCVSS 8.2EG 8.2✓ Fixed in 7.5.22025-04-25
React Router is a router for React. In versions on the 7.0 branch prior to version 7.5.2, it's possible to modify pre-rendered data by adding a header to the request. This allows to completely spoof its contents and modify all the values �…
- CVE-2025-59057HIGHCVSS 7.6EG 7.6✓ Fixed in 7.9.02026-01-10
React Router is a router for React. In @remix-run/react versions 1.15.0 through 2.17.0. and react-router versions 7.0.0 through 7.8.2, a XSS vulnerability exists in in React Router's meta()/<Meta> APIs in Framework Mode when generating scr…
- CVE-2025-68470MEDIUMCVSS 6.5EG 6.5✓ Fixed in 7.9.62026-01-10
React Router is a router for React. In versions 6.0.0 through 6.30.1 and 7.0.0 through 7.9.5, an attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate(), <Link>, or redirect(), the app p…
- CVE-2026-21884HIGHCVSS 8.2EG 8.2✓ Fixed in 7.12.02026-01-10
React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, a XSS vulnerability exists in in React Router's <ScrollRestoration> API in Framework Mode when using the getKey/storage…
- CVE-2026-22029MEDIUMCVSS 6.1EG 8.0✓ Fixed in 7.12.02026-01-10
React Router is a router for React. In @remix-run/router version prior to 1.23.2 and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Dat…
- CVE-2026-22030MEDIUMCVSS 6.5EG 6.5✓ Fixed in 7.12.02026-01-10
React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using ser…
- CVE-2026-33244MEDIUMCVSS 5.4EG 5.4✓ Fixed in 7.13.22026-06-02
React Router is a router for React. In versions 7.5.1 through 7.13.1, when using Framework Mode with pre-rendering enabled, improper neutralization of the HTTP `Location` header value can permit Cross-Site Scripting (XSS) in the statically…
- CVE-2026-33245MEDIUMCVSS 4.7EG 4.7✓ Fixed in 7.13.22026-06-02
React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components (RSC) APIs, there is a potential client-side Cross-Site Scripting (XSS) vulnerability in the RSC redirect hand…
- CVE-2026-34077HIGHCVSS 7.5EG 7.5✓ Fixed in 7.14.02026-06-02
React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components (RSC) APIs, there is a potential client-side Cross-Site Scripting (XSS) vulnerability in the RSC redirect hand…
- CVE-2026-40181MEDIUMCVSS 6.1EG 6.1✓ Fixed in 6.30.42026-06-02
React Router is a router for React. In versions 7.0.0 through 7.14.0 and 6.7.0 through 6.30.3, certain URLs passed to the redirect function can trigger an open redirect to an external domain due to path values starting with // being reinte…
- CVE-2026-42211HIGHCVSS 8.1EG 8.1✓ Fixed in 7.14.22026-06-02
React Router is a router for React. In versions 7.0.0 through 7.14.1, when using Framework Mode, a combination of steps could potentially allow unauthorized remote code execution (RCE) through external requests. This attack requires the ap…
- CVE-2026-42342HIGHCVSS 7.5EG 7.5✓ Fixed in 7.15.02026-06-02
React Router is a router for React. In versions 7.0.0 through 7.14.x of react-router and versions 2.10.0 through 2.17.4 of @remix-run/server-runtime, certain crafted requests can consume disproportionate server resources via unbounded path…
- CVE-2026-53663LOWCVSS 3.1EG 3.1✓ Fixed in 7.15.12026-06-15
React Router is a router for React. From 7.12.0 until 7.15.1, certain CSRF checks in React Router v7 Framework Mode were insufficient and run on POST requests, but were bypassed on PUT/PATCH/DELETE requests. This is a low severity vulnerab…
Check whether react-router is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for react-router CVEs against the assets you own.
Start Free Scan →