CVE-2026-33245
Received Received - Intake
React Router Unstable RSC Redirect XSS Vulnerability

Publication date: 2026-06-02

Last updated on: 2026-06-02

Assigner: GitHub, Inc.

Description
React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components (RSC) APIs, there is a potential client-side Cross-Site Scripting (XSS) vulnerability in the RSC redirect handling if redirects come from untrusted sources. This does not impact applications that are not using the unstable RSC APIs in React Router. This is patched in version 7.13.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-02
Last Modified
2026-06-02
Generated
2026-06-03
AI Q&A
2026-06-02
EPSS Evaluated
N/A
NVD
CVE-2026-33245
EUVD
EUVD-2026-33988
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
remix-run react_router From 7.7.0 (inc) to 7.13.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

CVE-2026-33245 is a high-severity cross-site scripting (XSS) vulnerability in React Router versions 7.7.0 through 7.13.1 when using its unstable React Server Components (RSC) APIs.

The vulnerability occurs in the handling of redirects from untrusted sources within the RSC APIs, potentially allowing an attacker to execute malicious scripts on the client side.

This issue does not affect applications that do not use the unstable RSC APIs, and it has been fixed in version 7.13.2.


How can this vulnerability impact me? :

This vulnerability can lead to client-side cross-site scripting (XSS) attacks if your application uses the unstable RSC APIs in affected React Router versions and handles redirects from untrusted sources.

An attacker could exploit this to execute malicious scripts in the context of your users' browsers, potentially stealing sensitive information, hijacking user sessions, or performing actions on behalf of users.

The CVSS score of 8.0 indicates a high severity, meaning the impact on confidentiality and integrity is significant, although it requires user interaction and high attack complexity.


What immediate steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, upgrade React Router to version 7.13.2 or later, as these versions contain the patch that fixes the client-side XSS issue in the unstable React Server Components (RSC) APIs.

Additionally, avoid using the unstable RSC APIs with redirects from untrusted sources until the upgrade is applied.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart