Description
React Router is a router for React. In versions 7.5.1 through 7.13.1, when using Framework Mode with pre-rendering enabled, improper neutralization of the HTTP `Location` header value can permit Cross-Site Scripting (XSS) in the statically generated HTML files if the redirect location comes from an untrusted source. This does not impact applications using Declarative Mode (`<BrowserRouter>`) or Data Mode (`createBrowserRouter/<RouterProvider>`). This is patched in version 7.13.2.
Published: 2026-06-02
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises when Remix's React Router, in Framework Mode with pre‑rendering enabled, fails to neutralise the value of the HTTP Location header. If the redirect target originates from an untrusted source, the unescaped value is embedded into the statically generated HTML file, leading to a stored cross‑site scripting flaw. An attacker could deliver malicious JavaScript that executes in the victim's browser whenever the affected static page is loaded. This flaw is classified under CWE‑79.

Affected Systems

Vulnerable versions of remix‑run react‑router – specifically 7.5.1 through 7.13.1 – are impacted. The issue is resolved in 7.13.2 and later releases.

Risk and Exploitability

The CVSS score is 5.4, indicating moderate severity. The EPSS score is not available, and the flaw is not listed in CISA KEV. Exploitation requires that the attacker can influence the Location header of a prerendered redirect, which then becomes reflected in the static HTML served to users. Although the attack would not grant arbitrary code execution on the server, the reflected script would run with the privileges of the page context, potentially allowing data theft or session hijacking. The risk is therefore limited to client‑side impact but remains significant for sites that trust user‑generated redirects.

Generated by OpenCVE AI on June 2, 2026 at 18:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update remix‑run react‑router to version 7.13.2 or later
  • Ensure that all redirect destinations used in the Location header are trusted or sanitized before being encoded into a prerendered page
  • If possible, disable Framework Mode pre‑rendering for redirect pages or switch to Declarative or Data mode, which do not construct static redirect HTML

Generated by OpenCVE AI on June 2, 2026 at 18:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description React Router is a router for React. In versions 7.5.1 through 7.13.1, when using Framework Mode with pre-rendering enabled, improper neutralization of the HTTP `Location` header value can permit Cross-Site Scripting (XSS) in the statically generated HTML files if the redirect location comes from an untrusted source. This does not impact applications using Declarative Mode (`<BrowserRouter>`) or Data Mode (`createBrowserRouter/<RouterProvider>`). This is patched in version 7.13.2.
Title React Router has stored XSS via unescaped Location header in prerendered redirect HTML
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-02T16:59:31.104Z

Reserved: 2026-03-18T02:42:27.509Z

Link: CVE-2026-33244

cve-icon Vulnrichment

Updated: 2026-06-02T17:28:09.695Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-02T17:16:28.030

Modified: 2026-06-02T17:19:53.963

Link: CVE-2026-33244

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T18:30:15Z

Weaknesses