What is GHSA-8x6r-g9mw-2r78?

GHSA-8x6r-g9mw-2r78 is a security advisory published by GitHub Security Advisories with High severity. React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint

Which CVE IDs does GHSA-8x6r-g9mw-2r78 cover?

GHSA-8x6r-g9mw-2r78 covers the following CVE IDs: CVE-2026-42342. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-8x6r-g9mw-2r78?

GHSA-8x6r-g9mw-2r78 has a CVSS v3 base score of 7.5, published by GitHub Security Advisories.

Which products are affected by GHSA-8x6r-g9mw-2r78?

GHSA-8x6r-g9mw-2r78 affects 2 products, including: npm/react-router:\u003e= 7.0.0, \u003c 7.15.0; npm/@remix-run/server-runtime:\u003e= 2.10.0, \u003c 2.17.5.

GHSA-8x6r-g9mw-2r78HighCVSS 7.5

React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint

Vendor

GitHub Security Advisories

Published

June 3, 2026

Last Modified

June 3, 2026

🔗 CVE IDs covered (1)

CVE-2026-42342 →

📋 Description

There exists a potential DOS attack vector in React Router Framework Mode applications (as well as Remix v2.10.0 - 2.17.4). Certain requests can be crafted to consume disproportionate resources on the server, resulting in response time degredation and/or service unavailability for end users.

[!NOTE] This does not impact your React Router application if you are using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).

🎯 Affected products2

npm/react-router:>= 7.0.0, < 7.15.0
npm/@remix-run/server-runtime:>= 2.10.0, < 2.17.5

🔗 References (3)

https://github.com/remix-run/react-router/security/advisories/GHSA-8x6r-g9mw-2r78
https://nvd.nist.gov/vuln/detail/CVE-2026-42342
https://github.com/advisories/GHSA-8x6r-g9mw-2r78