React Router vulnerable to Denial of Service via reflected user...

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Description

React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components (RSC) APIs, there is a potential client-side Cross-Site Scripting (XSS) vulnerability in the RSC redirect handling if redirects come from untrusted sources. This does not impact applications that are not using the unstable RSC APIs in React Router. This is patched in version 7.13.2.

Basic Information

ID CVE-2026-34077

Source GitHub_M

Published Jun 2, 2026 at 17:31

Affected Product

Vendor remix-run

Product react-router

Version >= 7.0.0, < 7.14.0

Affected Versions remix-run react-router >= 7.0.0, < 7.14.0
remix-run turbo-stream < 3.0.0

CWE Classification

CWE-770

References

github.com /remix-run/react-router/security/advisories/GHSA-rxv8-25v2-qmq8

{
    "lastseen": "",
    "description": "React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components (RSC) APIs, there is a potential client-side Cross-Site Scripting (XSS) vulnerability in the RSC redirect handling if redirects come from untrusted sources. This does not impact applications that are not using the unstable RSC APIs in React Router. This is patched in version 7.13.2.",
    "published": "2026-06-02T17:31:35.579Z",
    "modified": "2026-06-02T17:31:35.579Z",
    "type": "cve",
    "title": "React Router vulnerable to Denial of Service via reflected user input in single-fetch",
    "source": "GitHub_M",
    "references": "https://github.com/remix-run/react-router/security/advisories/GHSA-rxv8-25v2-qmq8",
    "id": "CVE-2026-34077",
    "bulletinFamily": "",
    "cwe": [
        "CWE-770"
    ],
    "cvelist": null,
    "sourceData": "remix-run react-router >= 7.0.0, < 7.14.0\nremix-run turbo-stream < 3.0.0",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "react-router",
    "version": ">= 7.0.0, < 7.14.0",
    "vendor": "remix-run",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

React Router vulnerable to Denial of Service via reflected user input in single-fetch_CVE-2026-34077