Description
React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, a XSS vulnerability exists in in React Router's <ScrollRestoration> API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys. There is no impact if server-side rendering in Framework Mode is disabled, or if Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) is being used. This issue has been patched in @remix-run/react version 2.17.3 and react-router version 7.12.0.
Published: 2026-01-10
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting during Server‑Side Rendering
Action: Immediate Patch
AI Analysis

Impact

React Router's <ScrollRestoration> component in Framework Mode is vulnerable to cross‑site scripting when the getKey or storageKey properties are populated using untrusted content. If an attacker can supply malicious data that is used to generate these keys, arbitrary JavaScript can be executed on the server side and rendered to the client. The weakness is an input validation flaw, identified as CWE‑79, and the primary impact is the ability to run malicious scripts in the browser context of users compiling the SSR output.

Affected Systems

The vulnerability affects the @remix‑run/react package up to version 2.17.2 and the react‑router package from 7.0.0 through 7.11.0. Systems using these libraries in Framework Mode with <ScrollRestoration> must upgrade to @remix‑run/react 2.17.3 or later and react‑router 7.12.0 or later to eliminate the flaw.

Risk and Exploitability

The CVSS base score of 8.2 indicates a high severity vulnerability. The EPSS score is reported at less than 1%, suggesting low exploitation probability, and the issue is not listed in the CISA KEV catalog. The most likely attack vector is through server‑side rendering of user‑controlled content in Framework Mode, where the component generates keys from untrusted data. Exploitation would require that the attacker has the ability to influence the content used to build the keys, but no additional credentials or privileges are necessary.

Generated by OpenCVE AI on April 18, 2026 at 07:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade @remix‑run/react to version 2.17.3 or newer and react‑router to version 7.12.0 or newer.
  • If upgrading is not immediately possible, disable Framework Mode server‑side rendering or avoid using <ScrollRestoration> with untrusted key data, and switch to Declarative or Data Mode usage if applicable.
  • Implement strict validation or encoding for any data that is used to set getKey or storageKey properties to prevent injection of malicious scripts.

Generated by OpenCVE AI on April 18, 2026 at 07:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8v8x-cx79-35w7 React Router SSR XSS in ScrollRestoration
History

Sat, 28 Feb 2026 04:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 30 Jan 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Shopify
Shopify react-router
Shopify remix-run\/react
CPEs cpe:2.3:a:shopify:react-router:*:*:*:*:*:node.js:*:*
cpe:2.3:a:shopify:remix-run\/react:*:*:*:*:*:node.js:*:*
Vendors & Products Shopify
Shopify react-router
Shopify remix-run\/react

Tue, 13 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Mon, 12 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 10 Jan 2026 03:15:00 +0000

Type Values Removed Values Added
Description React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, a XSS vulnerability exists in in React Router's <ScrollRestoration> API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys. There is no impact if server-side rendering in Framework Mode is disabled, or if Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) is being used. This issue has been patched in @remix-run/react version 2.17.3 and react-router version 7.12.0.
Title React Router SSR XSS in ScrollRestoration
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N'}

Subscriptions

Shopify React-router Remix-run\/react
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T15:04:51.084Z

Reserved: 2026-01-05T17:24:36.928Z

Link: CVE-2026-21884

cve-icon Vulnrichment

Updated: 2026-01-12T18:11:06.386Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-10T03:15:48.673

Modified: 2026-01-30T18:19:22.727

Link: CVE-2026-21884

cve-icon Redhat

Severity : Important

Publid Date: 2026-01-10T02:41:44Z

Links: CVE-2026-21884 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T07:15:25Z

Weaknesses