CVE-2026-34077
Analyzed Analyzed - Analysis Complete
Client-Side XSS in React Router RSC Redirect Handling

Publication date: 2026-06-02

Last updated on: 2026-06-04

Assigner: GitHub, Inc.

Description
React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components (RSC) APIs, there is a potential client-side Cross-Site Scripting (XSS) vulnerability in the RSC redirect handling if redirects come from untrusted sources. This does not impact applications that are not using the unstable RSC APIs in React Router. This is patched in version 7.13.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-02
Last Modified
2026-06-04
Generated
2026-06-23
AI Q&A
2026-06-03
EPSS Evaluated
2026-06-21
NVD
CVE-2026-34077
EUVD
EUVD-2026-33994
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
shopify react-router From 7.0.0 (inc) to 7.14.0 (exc)
turbo-stream turbo_stream to 3.0.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The provided information does not specify how the vulnerability in React Router's unstable React Server Components APIs impacts compliance with common standards and regulations such as GDPR or HIPAA.

Executive Summary

This vulnerability exists in React Router versions 7.7.0 through 7.13.1 when using its unstable React Server Components (RSC) APIs. It involves a potential client-side Cross-Site Scripting (XSS) issue in the RSC redirect handling if redirects originate from untrusted sources.

Applications not using the unstable RSC APIs in React Router are not affected. The issue was fixed in version 7.13.2.

Impact Analysis

The vulnerability can lead to client-side Cross-Site Scripting (XSS) attacks if an attacker can control redirect sources in applications using the unstable React Server Components APIs in React Router.

Such XSS attacks can allow attackers to execute malicious scripts in the context of the user's browser, potentially leading to session hijacking, data theft, or other malicious actions.

Applications not using the unstable RSC APIs are not impacted.

Mitigation Strategies

To mitigate the vulnerability in React Router versions 7.7.0 through 7.13.1 related to client-side Cross-Site Scripting (XSS) in the unstable React Server Components (RSC) APIs, you should upgrade to React Router version 7.13.2 or later.

Additionally, ensure that your application does not use redirects from untrusted sources when using the unstable RSC APIs.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34077. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart