Description
React Router is a router for React. In versions 7.0.0 through 7.14.1, when using Framework Mode, a combination of steps could potentially allow unauthorized remote code execution (RCE) through external requests. This attack requires the application code to have an existing prototype pollution vulnerability, which can then be leveraged in a 2-step attack where the second step triggers unauthorized RCE on the remote server. This does not impact applications using Declarative Mode (`<BrowserRouter>`) or Data Mode (`createBrowserRouter/<RouterProvider>`). This is patched in version 7.14.2.
Published: 2026-06-02
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

React Router versions 7.0.0 through 7.14.1 contain a flaw that allows an attacker to execute arbitrary code via the vendored turbo-stream library. When the application is running in Framework Mode and is exposed to external requests, an attacker can exploit an existing prototype pollution vulnerability in a two‑step attack. The attacker first pollutes the object prototype, then triggers the compromised turbo-stream deserialization process, which arbitrarily invokes a constructor and compromises the application with remote code execution. The vulnerability allows arbitrary code execution within the context of the running application.

Affected Systems

The vulnerability affects the Remix‑run React Router package. All releases from 7.0.0 through 7.14.1 carried the flaw when running in Framework Mode. Declarative Mode usage via <BrowserRouter> and Data Mode via createBrowserRouter/RouterProvider are not impacted. The fix is applied in version 7.14.2.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity condition. EPSS information is not available, and the vulnerability is not currently listed in the CISA KEV catalog, which suggests that out‑of‑band exploitation has not yet been observed. The attack vector requires the application code to have a pre‑existing prototype pollution flaw, making the overall exploitability dependent on the presence of that secondary vulnerability. If both conditions are met, an attacker can gain unrestricted control of the target system.

Generated by OpenCVE AI on June 3, 2026 at 04:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the react‑router package to version 7.14.2 or later.
  • Patch or otherwise eliminate any prototype pollution vulnerabilities in the application code base.
  • If an upgrade is not immediately possible, disable Framework Mode or restrict network traffic to the endpoints that consume turbo‑stream data until a patch is applied.

Generated by OpenCVE AI on June 3, 2026 at 04:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-49rj-9fvp-4h2h React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE
History

Thu, 04 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
First Time appeared Shopify
Shopify react-router
CPEs cpe:2.3:a:shopify:react-router:*:*:*:*:*:node.js:*:*
Vendors & Products Shopify
Shopify react-router

Wed, 03 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Remix-run
Remix-run react-router
Vendors & Products Remix-run
Remix-run react-router

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description React Router is a router for React. In versions 7.0.0 through 7.14.1, when using Framework Mode, a combination of steps could potentially allow unauthorized remote code execution (RCE) through external requests. This attack requires the application code to have an existing prototype pollution vulnerability, which can then be leveraged in a 2-step attack where the second step triggers unauthorized RCE on the remote server. This does not impact applications using Declarative Mode (`<BrowserRouter>`) or Data Mode (`createBrowserRouter/<RouterProvider>`). This is patched in version 7.14.2.
Title React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE
Weaknesses CWE-502
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Remix-run React-router
Shopify React-router
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-03T14:08:30.154Z

Reserved: 2026-04-25T05:04:37.028Z

Link: CVE-2026-42211

cve-icon Vulnrichment

Updated: 2026-06-03T14:01:45.125Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-02T20:16:36.537

Modified: 2026-06-04T18:50:38.323

Link: CVE-2026-42211

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T10:55:18Z

Weaknesses
  • CWE-502

    Deserialization of Untrusted Data