Executive Summary

CVE-2026-33244 is a stored Cross-Site Scripting (XSS) vulnerability in React Router versions 7.5.1 through 7.13.1 when using Framework Mode with pre-rendering enabled.

The vulnerability occurs because the HTTP Location header value is not properly neutralized, which allows malicious scripts to be injected into statically generated HTML files if the redirect location comes from an untrusted source.

This issue does not affect applications using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).

The vulnerability was fixed in React Router version 7.13.2.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker to execute malicious scripts in the context of the affected web application by injecting code through the HTTP Location header.

Because the vulnerability affects statically generated HTML files, it can lead to Cross-Site Scripting (XSS) attacks that compromise the confidentiality and integrity of user data.

The attack requires network access, low privileges, and user interaction, but it can result in unauthorized access to sensitive information or manipulation of the application’s behavior.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability involves improper neutralization of the HTTP Location header in React Router versions 7.5.1 through 7.13.1 when using Framework Mode with pre-rendering enabled, leading to stored Cross-Site Scripting (XSS) in statically generated HTML files.

Detection would involve inspecting the HTTP Location headers in responses generated by the affected React Router versions and checking the statically generated HTML files for injected or unneutralized script content originating from untrusted redirect locations.

Since the vulnerability is related to the HTTP Location header and static HTML files, network detection could include monitoring HTTP responses for suspicious or unexpected Location header values or scanning generated HTML files for embedded scripts that could indicate XSS.

No specific commands or tools are provided in the available resources to detect this vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation step is to upgrade React Router to version 7.13.2 or later, where this vulnerability has been patched.

Additionally, avoid using Framework Mode with pre-rendering enabled if possible, or ensure that redirect locations come only from trusted sources to reduce the risk of XSS.

Applications using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) are not impacted by this vulnerability.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability is a stored Cross-Site Scripting (XSS) issue that can affect the confidentiality and integrity of data by allowing malicious scripts to be injected into statically generated HTML files. Such security weaknesses can potentially lead to unauthorized access or manipulation of sensitive information.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, vulnerabilities that impact confidentiality and integrity, such as XSS, can pose risks to compliance with these regulations. This is because GDPR and HIPAA require protection of personal and sensitive data against unauthorized access and data breaches.

Therefore, if exploited, this vulnerability could undermine compliance efforts by exposing sensitive data or enabling attacks that violate data protection requirements.

Useful 0 Not Useful 0