CVE-2026-34077
Received Received - Intake
Client-Side XSS in React Router RSC Redirect Handling

Publication date: 2026-06-02

Last updated on: 2026-06-02

Assigner: GitHub, Inc.

Description
React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components (RSC) APIs, there is a potential client-side Cross-Site Scripting (XSS) vulnerability in the RSC redirect handling if redirects come from untrusted sources. This does not impact applications that are not using the unstable RSC APIs in React Router. This is patched in version 7.13.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-02
Last Modified
2026-06-02
Generated
2026-06-03
AI Q&A
2026-06-03
EPSS Evaluated
N/A
NVD
CVE-2026-34077
EUVD
EUVD-2026-33994
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
remix-run react_router From 7.7.0 (inc) to 7.13.1 (inc)
remix-run react_router 7.13.2
remix-run react_router 7.14.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided information does not specify how the vulnerability in React Router's unstable React Server Components APIs impacts compliance with common standards and regulations such as GDPR or HIPAA.


Can you explain this vulnerability to me?

This vulnerability exists in React Router versions 7.7.0 through 7.13.1 when using its unstable React Server Components (RSC) APIs. It involves a potential client-side Cross-Site Scripting (XSS) issue in the RSC redirect handling if redirects originate from untrusted sources.

Applications not using the unstable RSC APIs in React Router are not affected. The issue was fixed in version 7.13.2.


How can this vulnerability impact me? :

The vulnerability can lead to client-side Cross-Site Scripting (XSS) attacks if an attacker can control redirect sources in applications using the unstable React Server Components APIs in React Router.

Such XSS attacks can allow attackers to execute malicious scripts in the context of the user's browser, potentially leading to session hijacking, data theft, or other malicious actions.

Applications not using the unstable RSC APIs are not impacted.


What immediate steps should I take to mitigate this vulnerability?

To mitigate the vulnerability in React Router versions 7.7.0 through 7.13.1 related to client-side Cross-Site Scripting (XSS) in the unstable React Server Components (RSC) APIs, you should upgrade to React Router version 7.13.2 or later.

Additionally, ensure that your application does not use redirects from untrusted sources when using the unstable RSC APIs.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart