React Router vulnerable to XSS in unstable RSC redirect handling...

8 / 10

HIGH

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

Description

React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components (RSC) APIs, there is a potential client-side Cross-Site Scripting (XSS) vulnerability in the RSC redirect handling if redirects come from untrusted sources. This does not impact applications that are not using the unstable RSC APIs in React Router. This is patched in version 7.13.2.

Basic Information

ID CVE-2026-33245

Source GitHub_M

Published Jun 2, 2026 at 17:14

Modified Jun 2, 2026 at 17:31

Affected Product

Vendor remix-run

Product react-router

Version >= 7.7.0, < 7.13.2

Affected Versions remix-run react-router >= 7.7.0, < 7.13.2

CWE Classification

CWE-79

References

github.com /remix-run/react-router/security/advisories/GHSA-8646-j5j9-6r62

{
    "lastseen": "",
    "description": "React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components (RSC) APIs, there is a potential client-side Cross-Site Scripting (XSS) vulnerability in the RSC redirect handling if redirects come from untrusted sources. This does not impact applications that are not using the unstable RSC APIs in React Router. This is patched in version 7.13.2.",
    "published": "2026-06-02T17:14:50.377Z",
    "modified": "2026-06-02T17:31:20.244Z",
    "type": "cve",
    "title": "React Router vulnerable to XSS in unstable RSC redirect handling via javascript: redirect targets",
    "source": "GitHub_M",
    "references": "https://github.com/remix-run/react-router/security/advisories/GHSA-8646-j5j9-6r62",
    "id": "CVE-2026-33245",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "remix-run react-router >= 7.7.0, < 7.13.2",
    "sourceHref": "",
    "cvss": {
        "score": 8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "react-router",
    "version": ">= 7.7.0, < 7.13.2",
    "vendor": "remix-run",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

React Router vulnerable to XSS in unstable RSC redirect handling via javascript: redirect targets_CVE-2026-33245