CVE-2026-33244
XSS in React Router via Untrusted Location Header
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| remix-run | react_router | From 7.5.1 (inc) to 7.13.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-33244 is a stored Cross-Site Scripting (XSS) vulnerability in React Router versions 7.5.1 through 7.13.1 when using Framework Mode with pre-rendering enabled.
The vulnerability occurs because the HTTP Location header value is not properly neutralized, which allows malicious scripts to be injected into statically generated HTML files if the redirect location comes from an untrusted source.
This issue does not affect applications using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).
The vulnerability was fixed in React Router version 7.13.2.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to execute malicious scripts in the context of the affected web application by injecting code through the HTTP Location header.
Because the vulnerability affects statically generated HTML files, it can lead to Cross-Site Scripting (XSS) attacks that compromise the confidentiality and integrity of user data.
The attack requires network access, low privileges, and user interaction, but it can result in unauthorized access to sensitive information or manipulation of the applicationβs behavior.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves improper neutralization of the HTTP Location header in React Router versions 7.5.1 through 7.13.1 when using Framework Mode with pre-rendering enabled, leading to stored Cross-Site Scripting (XSS) in statically generated HTML files.
Detection would involve inspecting the HTTP Location headers in responses generated by the affected React Router versions and checking the statically generated HTML files for injected or unneutralized script content originating from untrusted redirect locations.
Since the vulnerability is related to the HTTP Location header and static HTML files, network detection could include monitoring HTTP responses for suspicious or unexpected Location header values or scanning generated HTML files for embedded scripts that could indicate XSS.
No specific commands or tools are provided in the available resources to detect this vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade React Router to version 7.13.2 or later, where this vulnerability has been patched.
Additionally, avoid using Framework Mode with pre-rendering enabled if possible, or ensure that redirect locations come only from trusted sources to reduce the risk of XSS.
Applications using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) are not impacted by this vulnerability.