Description
React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components (RSC) APIs, there is a potential client-side Cross-Site Scripting (XSS) vulnerability in the RSC redirect handling if redirects come from untrusted sources. This does not impact applications that are not using the unstable RSC APIs in React Router. This is patched in version 7.13.2.
Published: 2026-06-02
Score: 8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability exists in React Router versions 7.7.0 through 7.13.1. The unstable React Server Components (RSC) redirect handling can execute untrusted javascript: URLs, leading to client-side XSS. Based on the description, it is inferred that the flaw results from a lack of validation of redirect targets (CWE-79). Based on the description, it is inferred that attackers can inject malicious scripts through redirect parameters, compromising the user’s browser and enabling credential theft or defacement.

Affected Systems

The vendor product is remix‑run’s React Router. Affected are all installations of React Router 7.7.0 through 7.13.1 that use the unstable React Server Components APIs for redirects. Versions prior to 7.7.0 or the patched 7.13.2 and later are not vulnerable.

Risk and Exploitability

The CVSS score of 8 indicates high severity. EPSS data is not available, but the vulnerability is not listed in CISA KEV, implying no known mass exploitation. Based on the description, it is inferred that exploitation requires that an application accepts redirect targets from untrusted sources while using the unstable RSC APIs. Based on the description, it is inferred that an attacker controlling that input can craft a redirect URL using the javascript: scheme that executes code in the user’s browser, giving them the same privileges as the victim. Given the high score and the potential for client-side compromise, the risk is moderate‑high.

Generated by OpenCVE AI on June 3, 2026 at 04:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade react-router to version 7.13.2 or later.
  • Disable or remove usage of the unstable React Server Components APIs for redirects if possible.
  • Validate or filter redirect target URLs, rejecting javascript: scheme and other unsafe protocols before processing.

Generated by OpenCVE AI on June 3, 2026 at 04:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components (RSC) APIs, there is a potential client-side Cross-Site Scripting (XSS) vulnerability in the RSC redirect handling if redirects come from untrusted sources. This does not impact applications that are not using the unstable RSC APIs in React Router. This is patched in version 7.13.2.
Title React Router vulnerable to XSS in unstable RSC redirect handling via javascript: redirect targets
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-02T17:31:20.244Z

Reserved: 2026-03-18T02:42:27.509Z

Link: CVE-2026-33245

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-02T20:16:34.367

Modified: 2026-06-02T20:16:34.367

Link: CVE-2026-33245

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T04:30:05Z

Weaknesses