Pro
Beat report Published 36d ago ·

React Router 7 ships seven CVEs in a single window, one carries an RCE chain

The React Router team published seven security advisories on 2026-06-02 covering DoS, XSS, open-redirect, and one prototype-pollution RCE chain. Patches land in 7.13.2 through 7.15.1. Declarative Mode apps are largely unaffected; Framework Mode and RSC users carry the upgrade.

By Stackmaven

The React Router team disclosed seven security advisories on 2026-06-02 spanning denial-of-service, cross-site scripting, open-redirect, and one chained remote-code-execution path. The disclosure is the largest single-window batch the project has shipped since the Remix merge, and it lands at a moment when v7 Framework Mode has become the default deployment shape for new React Router applications.

What shipped

The seven advisories cluster into four shapes. Two are denial-of-service issues that hit Framework Mode’s request pipeline: GHSA-8x6r-g9mw-2r78 lets unbounded path expansion in the __manifest endpoint consume disproportionate server resources, and GHSA-rxv8-25v2-qmq8 turns the single-fetch serializer into a bottleneck on specific payload shapes. Both ship in v7.14.0 and v7.15.0. Two are cross-site scripting: GHSA-8646-j5j9-6r62 patches javascript: redirect targets in the unstable RSC API path, and GHSA-f22v-gfqf-p8f3 escapes the Location header that prerendered redirects emit. Patches land in 7.13.2. Two are open-redirect issues, GHSA-2j2x-hqr9-3h42 for protocol-relative URLs and GHSA-84g9-w2xq-vcv6 covering a CSRF check bypass on PUT, PATCH, and DELETE methods.

The seventh advisory, GHSA-49rj-9fvp-4h2h, is the load-bearing one. It is rated High at CVSS 8.1 and describes a remote code execution path through React Router’s Framework Mode request handling, reachable only when the host application is already vulnerable to prototype pollution. The advisory text reads: “There exists a combination of steps that could potentially allow unauthorized RCE through external requests. This first requires the application code to have an existing prototype pollution vulnerability.” The chain affects 7.0.0 through 7.14.1 and is patched in 7.14.2. The recommended upgrade target for the full disclosure is 7.15.1.

The CSRF, open-redirect, and RCE-chain advisories all explicitly exclude apps running in Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter / RouterProvider). The attack surface is the loader/action pipeline that Framework Mode introduced as part of the Remix merge, plus the unstable RSC entry points.

Where this lands in the market

Framework Mode is the deployment shape React Router has pushed since the 7.0 line absorbed Remix in late 2024, and the entire upgrade story for legacy Remix v2 apps has routed through it. That makes the disclosure narrower than the headline count suggests, and also harder to dismiss. Apps that took the migration path are exposed; apps that stayed on <BrowserRouter> are mostly not.

The prototype-pollution gating on the RCE advisory is a meaningful detail and a thin one. Prototype pollution is a known weakness shape in the JavaScript ecosystem, surfacing periodically in dependency trees through utility libraries that merge or extend objects without sanitization. An application owner who is confident their dependency graph has no prototype-pollution sink is in a different operational posture than one who is not, and the second group is larger than the first. Treating CVE-2026-42211 as “unreachable in our stack” without an audit is the wrong move.

Netlify’s response is the platform-side tell. The provider posted its own changelog entry on 2026-06-02 walking through the impact of each advisory on customer functions, with the observation that serverless autoscaling absorbs the DoS payload’s blast radius at the cost of higher function spend. Vercel, Cloudflare Workers, and self-hosted Node deployments do not get that same isolation for free. Long-running Node processes serving Framework Mode routes are the most exposed deployment shape in the set.

What’s worth watching

  1. Coordinated-disclosure cadence. Seven advisories in a single window is a release shape, not an organic backlog. Whether the React Router team holds to a quarterly disclosure cadence going forward, or whether 2026-06-02 was a one-off catch-up, will be readable from how the v7.16.x and v7.17.x release notes are structured. A clean release in the next ninety days suggests the batch absorbed an audit’s findings; a second multi-advisory window would suggest the audit is ongoing.

  2. RSC API hardening. Two of the seven advisories target the unstable RSC entry points, which is a higher hit rate than the API’s adoption curve would predict. React Server Components in React Router is still pre-stable, and the disclosure is a reminder that anyone shipping unstable APIs to production is carrying that exposure. Whether the RSC surface stabilizes before another XSS lands is the readable signal.

  3. Framework Mode default tension. The disclosure draws a clean line between Framework Mode and the older Declarative and Data modes, but the project’s documentation has been steering new users toward Framework Mode for two years. If the ratio of mode-specific advisories continues to skew this way, expect either a doc-level repositioning of the modes or a security-hardening sweep of the loader pipeline before the v8 line opens.

The follow-up beat lands around 2026-09-06, after the next React Router release window has shown whether the disclosure was a one-window batch or the leading edge of a longer audit.

Sources cited
  1. React Router advisory: GHSA-49rj-9fvp-4h2h (RCE chain, CVSS 8.1) github.com
  2. React Router GitHub Security Advisories index github.com
  3. Netlify: 7 React Router security vulnerabilities, what you need to know www.netlify.com
  4. React Router 7.15.1 release on GitHub github.com
esc