Description
React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components (RSC) APIs, there is a potential client-side Cross-Site Scripting (XSS) vulnerability in the RSC redirect handling if redirects come from untrusted sources. This does not impact applications that are not using the unstable RSC APIs in React Router. This is patched in version 7.13.2.
Published: 2026-06-02
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

React Router versions 7.7.0 through 7.13.1 contain a client‑side XSS flaw that is triggered when redirects from untrusted sources are processed by the unstable React Server Components (RSC) APIs. An attacker can inject arbitrary JavaScript into the browser session of a user who follows a malicious link, potentially exposing sensitive data or enabling phishing attempts. The vulnerability stems from improper handling of redirect URLs and is categorized as a CWE‑770 flaw.

Affected Systems

The affected products are remix‑run:react‑router and remix‑run:turbo‑stream, with versions 7.7.0 through 7.13.1 impacted. The issue is resolved in version 7.13.2 and newer releases.

Risk and Exploitability

The CVSS score of 7.5 reflects a high severity level. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires a web application that utilizes the unstable RSC APIs and an attacker who can provide a crafted redirect target to a victim. Because the flaw is client‑side, the attack can be initiated simply by visiting a malicious link; however, the damage is confined to the victim’s browser session. Until the product is patched, the risk remains high for installations that use the vulnerable versions.

Generated by OpenCVE AI on June 3, 2026 at 03:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade React Router to version 7.13.2 or later to fix the redirect handling bug.
  • Disable or remove usage of the unstable React Server Components APIs in React Router if they are not required for your application.
  • Validate any redirect URLs in the client code to accept only trusted origins before rendering them in the browser.

Generated by OpenCVE AI on June 3, 2026 at 03:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components (RSC) APIs, there is a potential client-side Cross-Site Scripting (XSS) vulnerability in the RSC redirect handling if redirects come from untrusted sources. This does not impact applications that are not using the unstable RSC APIs in React Router. This is patched in version 7.13.2.
Title React Router vulnerable to Denial of Service via reflected user input in single-fetch
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-02T17:31:35.579Z

Reserved: 2026-03-25T16:21:40.868Z

Link: CVE-2026-34077

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-02T20:16:34.620

Modified: 2026-06-02T20:16:34.620

Link: CVE-2026-34077

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T04:00:13Z

Weaknesses