CVE-2026-42211
Remote Code Execution in React Router Framework Mode
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| remix-run | react_router | From 7.0.0 (inc) to 7.14.1 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-42211 is a high-severity vulnerability in React Router versions 7.0.0 through 7.14.1 when used in Framework Mode. It involves a two-step attack that can lead to unauthorized remote code execution (RCE) on the server. This attack requires the application to already have a prototype pollution vulnerability, which is then exploited to trigger the RCE through external requests.
This vulnerability does not affect applications using Declarative Mode or Data Mode. It is related to the deserialization of untrusted data without proper validation, classified under CWE-502.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker to execute arbitrary code remotely on your server without requiring any special privileges or user interaction.
This can lead to severe impacts on the confidentiality, integrity, and availability of your application and data.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, upgrade React Router to version 7.14.2 or later, where the issue is patched.
Additionally, ensure that your application does not have existing prototype pollution vulnerabilities, as this vulnerability requires such a flaw to be exploitable.
Avoid using Framework Mode if possible, or switch to Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>), which are not impacted by this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthorized remote code execution (RCE) on affected servers, which can lead to significant impacts on confidentiality, integrity, and availability of data.
Such impacts could potentially result in non-compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and secure handling of personal information.
However, the vulnerability itself requires an existing prototype pollution flaw in the application code to be exploitable, meaning that compliance risks depend on the presence of that additional vulnerability.