GHSA-8646-j5j9-6r62HighCVSS 8.0

React Router vulnerable to XSS in unstable RSC redirect handling via javascript: redirect targets

Published
June 3, 2026
Last Modified
June 3, 2026

🔗 CVE IDs covered (1)

📋 Description

When using React Router v7's unstable RSC APIs, there exists a potential client-side XSS issue in the RSC redirect handling if redirects are coming from untrusted sources

[!NOTE] This only impacts your application if you are using the unstable RSC APIs in React Router.

🎯 Affected products1

  • npm/react-router:>= 7.7.0, < 7.13.2

🔗 References (3)