CVE-2026-42342
Path Expansion DoS in React Router Framework
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| remix-run | react-router | From 7.0.0 (inc) to 7.14.x (inc) |
| remix-run | server-runtime | From 2.10.0 (inc) to 2.17.4 (inc) |
| remix-run | react-router | 7.15.0 |
| remix-run | server-runtime | 2.17.5 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-42342 is a high-severity vulnerability affecting React Router Framework Mode applications and Remix versions between 2.10.0 and 2.17.4.
The issue involves specially crafted requests that can consume excessive server resources through unbounded path expansion in the __manifest endpoint.
This resource consumption can lead to degraded response times or complete service unavailability, effectively causing a denial-of-service (DoS) condition.
The vulnerability does not affect applications using Declarative Mode (BrowserRouter) or Data Mode (createBrowserRouter/RouterProvider).
No privileges or user interaction are required for exploitation, and the attack can be executed remotely over a network.
The vulnerability was patched in React Router versions 7.15.0 and Remix versions 2.17.5.
How can this vulnerability impact me? :
This vulnerability can impact you by causing denial-of-service (DoS) conditions on your server.
Specifically, specially crafted requests can consume disproportionate server resources, leading to slower response times or complete unavailability of your application for end users.
Since no privileges or user interaction are needed, an attacker can remotely exploit this vulnerability to disrupt your service.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately upgrade React Router to version 7.15.0 or later, and upgrade @remix-run/server-runtime to version 2.17.5 or later.
Avoid using React Router Framework Mode or Remix versions that fall within the vulnerable ranges (React Router versions 7.0.0 through 7.14.x and Remix versions 2.10.0 through 2.17.4) until patched versions are applied.
Note that applications using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/RouterProvider) are not affected by this vulnerability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability primarily impacts system availability by enabling denial-of-service attacks through excessive resource consumption. It does not involve data confidentiality or integrity breaches.
Since the vulnerability does not lead to unauthorized access or data exposure, its direct impact on compliance with standards like GDPR or HIPAA, which focus on data protection and privacy, is limited.
However, prolonged service unavailability caused by this vulnerability could indirectly affect compliance if it disrupts critical services or impacts the ability to maintain required operational standards.