CVE-2026-33245
Analyzed Analyzed - Analysis Complete
React Router Unstable RSC Redirect XSS Vulnerability

Publication date: 2026-06-02

Last updated on: 2026-06-04

Assigner: GitHub, Inc.

Description
React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components (RSC) APIs, there is a potential client-side Cross-Site Scripting (XSS) vulnerability in the RSC redirect handling if redirects come from untrusted sources. This does not impact applications that are not using the unstable RSC APIs in React Router. This is patched in version 7.13.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-02
Last Modified
2026-06-04
Generated
2026-06-23
AI Q&A
2026-06-03
EPSS Evaluated
2026-06-21
NVD
CVE-2026-33245
EUVD
EUVD-2026-33988
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
shopify react-router From 7.7.0 (inc) to 7.13.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

CVE-2026-33245 is a high-severity cross-site scripting (XSS) vulnerability in React Router versions 7.7.0 through 7.13.1 when using its unstable React Server Components (RSC) APIs.

The vulnerability occurs in the handling of redirects from untrusted sources within the RSC APIs, potentially allowing an attacker to execute malicious scripts on the client side.

This issue does not affect applications that do not use the unstable RSC APIs, and it has been fixed in version 7.13.2.

Impact Analysis

This vulnerability can lead to client-side cross-site scripting (XSS) attacks if your application uses the unstable RSC APIs in affected React Router versions and handles redirects from untrusted sources.

An attacker could exploit this to execute malicious scripts in the context of your users' browsers, potentially stealing sensitive information, hijacking user sessions, or performing actions on behalf of users.

The CVSS score of 8.0 indicates a high severity, meaning the impact on confidentiality and integrity is significant, although it requires user interaction and high attack complexity.

Mitigation Strategies

To mitigate this vulnerability, upgrade React Router to version 7.13.2 or later, as these versions contain the patch that fixes the client-side XSS issue in the unstable React Server Components (RSC) APIs.

Additionally, avoid using the unstable RSC APIs with redirects from untrusted sources until the upgrade is applied.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-33245. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart