CVE-2026-42342
Analyzed Analyzed - Analysis Complete
Path Expansion DoS in React Router Framework

Publication date: 2026-06-02

Last updated on: 2026-06-04

Assigner: GitHub, Inc.

Description
React Router is a router for React. In versions 7.0.0 through 7.14.x of react-router and versions 2.10.0 through 2.17.4 of @remix-run/server-runtime, certain crafted requests can consume disproportionate server resources via unbounded path expansion in the __manifest endpoint, resulting in response time degradation and/or service unavailability for end users. This affects React Router Framework Mode applications as well as Remix applications. This does not impact applications using Declarative Mode (`<BrowserRouter>`) or Data Mode (`createBrowserRouter/<RouterProvider>`). This is patched in react-router version 7.15.0 and @remix-run/server-runtime version 2.17.5.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-02
Last Modified
2026-06-04
Generated
2026-06-23
AI Q&A
2026-06-02
EPSS Evaluated
2026-06-21
NVD
CVE-2026-42342
EUVD
EUVD-2026-34000
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
shopify react-router From 7.0.0 (inc) to 7.15.0 (exc)
shopify remix-run/server-runtime From 2.10.0 (inc) to 2.17.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-42342 is a high-severity vulnerability affecting React Router Framework Mode applications and Remix versions between 2.10.0 and 2.17.4.

The issue involves specially crafted requests that can consume excessive server resources through unbounded path expansion in the __manifest endpoint.

This resource consumption can lead to degraded response times or complete service unavailability, effectively causing a denial-of-service (DoS) condition.

The vulnerability does not affect applications using Declarative Mode (BrowserRouter) or Data Mode (createBrowserRouter/RouterProvider).

No privileges or user interaction are required for exploitation, and the attack can be executed remotely over a network.

The vulnerability was patched in React Router versions 7.15.0 and Remix versions 2.17.5.

Impact Analysis

This vulnerability can impact you by causing denial-of-service (DoS) conditions on your server.

Specifically, specially crafted requests can consume disproportionate server resources, leading to slower response times or complete unavailability of your application for end users.

Since no privileges or user interaction are needed, an attacker can remotely exploit this vulnerability to disrupt your service.

Mitigation Strategies

To mitigate this vulnerability, immediately upgrade React Router to version 7.15.0 or later, and upgrade @remix-run/server-runtime to version 2.17.5 or later.

Avoid using React Router Framework Mode or Remix versions that fall within the vulnerable ranges (React Router versions 7.0.0 through 7.14.x and Remix versions 2.10.0 through 2.17.4) until patched versions are applied.

Note that applications using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/RouterProvider) are not affected by this vulnerability.

Compliance Impact

The vulnerability primarily impacts system availability by enabling denial-of-service attacks through excessive resource consumption. It does not involve data confidentiality or integrity breaches.

Since the vulnerability does not lead to unauthorized access or data exposure, its direct impact on compliance with standards like GDPR or HIPAA, which focus on data protection and privacy, is limited.

However, prolonged service unavailability caused by this vulnerability could indirectly affect compliance if it disrupts critical services or impacts the ability to maintain required operational standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42342. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart