CVE-2026-42211
Analyzed Analyzed - Analysis Complete
Remote Code Execution in React Router Framework Mode

Publication date: 2026-06-02

Last updated on: 2026-06-04

Assigner: GitHub, Inc.

Description
React Router is a router for React. In versions 7.0.0 through 7.14.1, when using Framework Mode, a combination of steps could potentially allow unauthorized remote code execution (RCE) through external requests. This attack requires the application code to have an existing prototype pollution vulnerability, which can then be leveraged in a 2-step attack where the second step triggers unauthorized RCE on the remote server. This does not impact applications using Declarative Mode (`<BrowserRouter>`) or Data Mode (`createBrowserRouter/<RouterProvider>`). This is patched in version 7.14.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-02
Last Modified
2026-06-04
Generated
2026-06-23
AI Q&A
2026-06-02
EPSS Evaluated
2026-06-21
NVD
CVE-2026-42211
EUVD
EUVD-2026-33999
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
shopify react-router From 7.0.0 (inc) to 7.14.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-42211 is a high-severity vulnerability in React Router versions 7.0.0 through 7.14.1 when used in Framework Mode. It involves a two-step attack that can lead to unauthorized remote code execution (RCE) on the server. This attack requires the application to already have a prototype pollution vulnerability, which is then exploited to trigger the RCE through external requests.

This vulnerability does not affect applications using Declarative Mode or Data Mode. It is related to the deserialization of untrusted data without proper validation, classified under CWE-502.

Impact Analysis

If exploited, this vulnerability can allow an attacker to execute arbitrary code remotely on your server without requiring any special privileges or user interaction.

This can lead to severe impacts on the confidentiality, integrity, and availability of your application and data.

Mitigation Strategies

To mitigate this vulnerability, upgrade React Router to version 7.14.2 or later, where the issue is patched.

Additionally, ensure that your application does not have existing prototype pollution vulnerabilities, as this vulnerability requires such a flaw to be exploitable.

Avoid using Framework Mode if possible, or switch to Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>), which are not impacted by this vulnerability.

Compliance Impact

The vulnerability allows unauthorized remote code execution (RCE) on affected servers, which can lead to significant impacts on confidentiality, integrity, and availability of data.

Such impacts could potentially result in non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and secure handling of personal information.

However, the vulnerability itself requires an existing prototype pollution flaw in the application code to be exploitable, meaning that compliance risks depend on the presence of that additional vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42211. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart