CVE-2026-21884
XSS in React Router ScrollRestoration During Server-Side Rendering
Publication date: 2026-01-10
Last updated on: 2026-01-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| remix-run | react | to 2.17.3 (exc) |
| remix-run | react | 2.17.3 |
| react-router | react-router | From 7.0.0 (inc) to 7.12.0 (exc) |
| react-router | react-router | 7.12.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-21884 is a high-severity Cross-Site Scripting (XSS) vulnerability in React Router's <ScrollRestoration> API when used in Framework Mode with Server-Side Rendering (SSR). It occurs when the getKey or storageKey props generate keys from untrusted content during SSR, which can lead to arbitrary JavaScript execution. This affects @remix-run/react versions prior to 2.17.3 and react-router versions 7.0.0 through 7.11.0. The vulnerability does not affect applications that disable SSR in Framework Mode or use Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>). The issue has been patched in later versions. [1]
How can this vulnerability impact me? :
This vulnerability can allow remote attackers to execute arbitrary JavaScript code during server-side rendering if untrusted content is used to generate keys, potentially leading to high confidentiality loss and low integrity impact. It requires no privileges but does require user interaction. The attack can compromise sensitive data confidentiality and affect the security scope of components. [1]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection involves verifying if your application uses React Router versions 7.0.0 through 7.11.0 or @remix-run/react versions prior to 2.17.3 with Server-Side Rendering (SSR) in Framework Mode and the <ScrollRestoration> API with getKey or storageKey props. You can check the installed package versions using commands like `npm list react-router` or `npm list @remix-run/react`. Additionally, review your codebase for usage of <ScrollRestoration> with getKey/storageKey props during SSR. There are no specific network detection commands provided. [1]
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability immediately, upgrade @remix-run/react to version 2.17.3 or later, and react-router to version 7.12.0 or later. Alternatively, disable Server-Side Rendering in Framework Mode or avoid using the <ScrollRestoration> API with getKey/storageKey props during SSR. Using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) also avoids the vulnerability. [1]