Description
React Router is a router for React. In versions 7.0.0 through 7.14.x of react-router and versions 2.10.0 through 2.17.4 of @remix-run/server-runtime, certain crafted requests can consume disproportionate server resources via unbounded path expansion in the __manifest endpoint, resulting in response time degradation and/or service unavailability for end users. This affects React Router Framework Mode applications as well as Remix applications. This does not impact applications using Declarative Mode (`<BrowserRouter>`) or Data Mode (`createBrowserRouter/<RouterProvider>`). This is patched in react-router version 7.15.0 and @remix-run/server-runtime version 2.17.5.
Published: 2026-06-02
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

React Router is vulnerable to a denial‑of‑service attack caused by unbounded path expansion in its __manifest endpoint. Crafted requests trigger excessive server resource consumption, resulting in significant response time slowdowns and possible service unavailability for end users. The weakness, identified as CWE-400 (Uncontrolled Resource Consumption), provides attackers with the ability to degrade application performance without altering data or compromising credentials.

Affected Systems

The issue affects Remix-run’s @remix-run/server-runtime versions 2.10.0 through 2.17.4 and react‑router versions 7.0.0 through 7.14.x. Applications running React Router in Framework Mode or as part of a Remix project are affected, while projects using Declarative Mode (BrowserRouter) or Data Mode (createBrowserRouter/RouterProvider) are not impacted.

Risk and Exploitability

The vulnerability is assigned a CVSS score of 7.5, indicating high severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a remote HTTP request to the __manifest endpoint; given the lack of authentication or other controls, an attacker can send crafted requests from the public internet to exhaust server resources.

Generated by OpenCVE AI on June 3, 2026 at 04:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade react‑router to version 7.15.0 or later, and upgrade @remix-run/server-runtime to 2.17.5 or later, which contain the fix for the path expansion flaw.
  • If an upgrade is not immediately possible, isolate or disable the __manifest endpoint, or apply strict rate limiting and input size restrictions to mitigate resource exhaustion.
  • Monitor application performance metrics and capture anomalous request patterns targeting the __manifest endpoint, and enforce throttling or alerts to detect abuse early.
  • Consider refactoring applications to use Declarative or Data Mode routing, which does not expose the vulnerable endpoint.

Generated by OpenCVE AI on June 3, 2026 at 04:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8x6r-g9mw-2r78 React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint
History

Thu, 04 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared Shopify
Shopify react-router
Shopify remix-run\/server-runtime
CPEs cpe:2.3:a:shopify:react-router:*:*:*:*:*:node.js:*:*
cpe:2.3:a:shopify:remix-run\/server-runtime:*:*:*:*:*:node.js:*:*
Vendors & Products Shopify
Shopify react-router
Shopify remix-run\/server-runtime

Wed, 03 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Remix-run
Remix-run react-router
Remix-run server-runtime
Vendors & Products Remix-run
Remix-run react-router
Remix-run server-runtime

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description React Router is a router for React. In versions 7.0.0 through 7.14.x of react-router and versions 2.10.0 through 2.17.4 of @remix-run/server-runtime, certain crafted requests can consume disproportionate server resources via unbounded path expansion in the __manifest endpoint, resulting in response time degradation and/or service unavailability for end users. This affects React Router Framework Mode applications as well as Remix applications. This does not impact applications using Declarative Mode (`<BrowserRouter>`) or Data Mode (`createBrowserRouter/<RouterProvider>`). This is patched in react-router version 7.15.0 and @remix-run/server-runtime version 2.17.5.
Title React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint
Weaknesses CWE-400
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Remix-run React-router Server-runtime
Shopify React-router Remix-run\/server-runtime
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-03T13:52:43.400Z

Reserved: 2026-04-26T13:26:14.514Z

Link: CVE-2026-42342

cve-icon Vulnrichment

Updated: 2026-06-03T13:52:37.648Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-02T20:16:36.693

Modified: 2026-06-04T19:00:32.600

Link: CVE-2026-42342

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T10:55:15Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption