VersionEye 2.0

React Router vulnerable to XSS via Open Redirects

Published date: 2026-01-08T20:54:18Z

CVE: CVE-2026-22029

Links:

React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if developers are creating redirect paths from untrusted content or via an open redirect.

[!NOTE] This does not impact applications that use Declarative Mode (<BrowserRouter>).

Affected versions: ["7.11.0", "7.11.0-pre.0", "7.10.1", "7.10.1-pre.0", "7.10.0", "7.10.0-pre.1", "7.10.0-pre.0", "7.9.6", "7.9.6-pre.1", "7.9.6-pre.0", "7.9.5", "7.9.5-pre.0", "7.9.4", "7.9.4-pre.0", "7.9.3", "7.9.3-pre.0", "7.9.2", "7.9.2-pre.3", "7.9.2-pre.2", "7.9.2-pre.1", "7.9.2-pre.0", "7.9.1", "7.9.1-pre.0", "7.9.0", "7.9.0-pre.1", "7.9.0-pre.0", "7.8.2", "7.8.2-pre.1", "7.8.2-pre.0", "7.8.1", "7.8.1-pre.1", "7.8.1-pre.0", "7.8.0", "7.8.0-pre.3", "7.8.0-pre.2", "7.8.0-pre.1", "7.8.0-pre.0", "7.7.1", "7.7.1-pre.0", "7.7.0", "7.7.0-pre.2", "7.7.0-pre.1", "7.7.0-pre.0", "7.6.3", "7.6.3-pre.0", "7.6.2", "7.6.1", "7.6.1-pre.2", "7.6.1-pre.1", "7.6.1-pre.0", "7.6.0", "7.6.0-pre.0", "7.5.3", "7.5.3-pre.0", "7.5.2", "7.5.1", "7.5.1-pre.0", "7.5.0", "7.5.0-pre.1", "7.5.0-pre.0", "7.4.1", "7.4.1-pre.0", "7.4.0", "7.4.0-pre.0", "7.3.0", "7.3.0-pre.1", "7.3.0-pre.0", "7.2.0", "7.2.0-pre.6", "7.2.0-pre.5", "7.2.0-pre.4", "7.2.0-pre.3", "7.2.0-pre.2", "7.2.0-pre.1", "7.2.0-pre.0", "7.1.5", "7.1.5-pre.0", "7.1.4", "7.1.4-pre.0", "7.1.3", "7.1.3-pre.0", "7.1.2", "7.1.2-pre.0", "7.1.1", "7.1.1-pre.0", "7.1.0", "7.1.0-pre.0", "7.0.2", "7.0.2-pre.0", "7.0.1", "7.0.1-pre.0", "7.0.0"]

Secure versions: [0.0.0, 0.0.0-nightly-004f18fa3-20250118, 0.0.0-nightly-0061b031c-20241012, 0.0.0-nightly-028fe7370-20241224, 0.0.0-nightly-02ade43d5-20250107, 0.0.0-nightly-02b363c76-20241019, 0.0.0-nightly-037474993-20240530, 0.0.0-nightly-03808c631-20240725, 0.0.0-nightly-041701ead-20241222, 0.0.0-nightly-058b57f14-20240621, 0.0.0-nightly-05a94eca8-20240625, 0.0.0-nightly-06e98c3ba-20241120, 0.0.0-nightly-09b52e491-20240606, 0.0.0-nightly-0c08bd001-20250510, 0.0.0-nightly-0ea8e6690-20241206, 0.0.0-nightly-10a1eff90-20241121, 0.0.0-nightly-10a6fd0e1-20240531, 0.0.0-nightly-128652c63-20240622, 0.0.0-nightly-12c37f0f0-20240928, 0.0.0-nightly-135d8d9b1-20240525, 0.0.0-nightly-13df3cec9-20241016, 0.0.0-nightly-14a0face4-20240726, 0.0.0-nightly-14e8e5d1a-20240801, 0.0.0-nightly-183fdb88c-20240730, 0.0.0-nightly-1923f4b0a-20250210, 0.0.0-nightly-1974c2661-20240524, 0.0.0-nightly-1a96ee758-20240912, 0.0.0-nightly-1b103a82e-20241110, 0.0.0-nightly-1c03f313d-20250425, 0.0.0-nightly-1e6b2e162-20250214, 0.0.0-nightly-1fa84a4d4-20241025, 0.0.0-nightly-20f9592ac-20240913, 0.0.0-nightly-21a850a42-20241101, 0.0.0-nightly-242035412-20240921, 0.0.0-nightly-26cc9d914-20240904, 0.0.0-nightly-283fa44bc-20250220, 0.0.0-nightly-2abe5f5e9-20241219, 0.0.0-nightly-2aeb07881-20241103, 0.0.0-nightly-2c5d54de7-20250226, 0.0.0-nightly-2c87a07f8-20250503, 0.0.0-nightly-2d5924f56-20241024, 0.0.0-nightly-2e661fbb4-20250327, 0.0.0-nightly-2f58222ba-20241017, 0.0.0-nightly-30460939b-20250517, 0.0.0-nightly-311e971e9-20240918, 0.0.0-nightly-31a9ad847-20241023, 0.0.0-nightly-329fc0ae0-20241221, 0.0.0-nightly-3acc86586-20241109, 0.0.0-nightly-3be44ecef-20241216, 0.0.0-nightly-3f25ab396-20240704, 0.0.0-nightly-3fdae37ec-20240914, 0.0.0-nightly-4263ec297-20241004, 0.0.0-nightly-428117233-20250418, 0.0.0-nightly-44a456835-20250103, 0.0.0-nightly-47953dd5d-20241123, 0.0.0-nightly-4901f05e2-20240711, 0.0.0-nightly-4996fbe2b-20240629, 0.0.0-nightly-4abec7a1b-20250313, 0.0.0-nightly-4ad69f9d4-20250130, 0.0.0-nightly-4af1d409c-20241118, 0.0.0-nightly-4da1dee21-20250304, 0.0.0-nightly-4db408248-20240910, 0.0.0-nightly-4f885c4f7-20250317, 0.0.0-nightly-5115991bf-20241217, 0.0.0-nightly-520ab610e-20240703, 0.0.0-nightly-5287ffc12-20241105, 0.0.0-nightly-54147a377-20250224, 0.0.0-nightly-5466640fc-20240510, 0.0.0-nightly-54d45d4a7-20250216, 0.0.0-nightly-58439e382-20250227, 0.0.0-nightly-59736e501-20240905, 0.0.0-nightly-5aa77698d-20240828, 0.0.0-nightly-5ab7ff74e-20250314, 0.0.0-nightly-5af3eaa96-20250506, 0.0.0-nightly-5d6f8013e-20250513, 0.0.0-nightly-626bc840a-20240731, 0.0.0-nightly-64e0a0313-20241207, 0.0.0-nightly-65d3d6cde-20240628, 0.0.0-nightly-66613c0c6-20241018, 0.0.0-nightly-68f43b8cd-20241119, 0.0.0-nightly-6b677a71b-20250219, 0.0.0-nightly-6c7c5147c-20241008, 0.0.0-nightly-6df9b21a9-20250218, 0.0.0-nightly-6f2168e82-20250114, 0.0.0-nightly-726b5249a-20250416, 0.0.0-nightly-727bc37b9-20250208, 0.0.0-nightly-73afcdc0d-20240523, 0.0.0-nightly-7583dc758-20250502, 0.0.0-nightly-77b730c0a-20250225, 0.0.0-nightly-7bc242270-20250412, 0.0.0-nightly-7de375944-20250206, 0.0.0-nightly-7fd797a72-20241022, 0.0.0-nightly-80cf6ffad-20250124, 0.0.0-nightly-818d327ce-20241117, 0.0.0-nightly-8389d48e0-20250512, 0.0.0-nightly-854031618-20240819, 0.0.0-nightly-892468ee7-20250212, 0.0.0-nightly-8a5cf097f-20241030, 0.0.0-nightly-8b31f25af-20240926, 0.0.0-nightly-8b821645a-20241214, 0.0.0-nightly-8e4963fae-20250424, 0.0.0-nightly-8f12ed19a-20240924, 0.0.0-nightly-8fc8239ff-20241003, 0.0.0-nightly-8ff4d5fe7-20241204, 0.0.0-nightly-90d6e43a9-20250122, 0.0.0-nightly-90ebbf91d-20240718, 0.0.0-nightly-934427247-20240717, 0.0.0-nightly-96b441bdd-20240511, 0.0.0-nightly-9a3d9fc19-20241205, 0.0.0-nightly-9b3accc5e-20250410, 0.0.0-nightly-9bf91e47c-20240822, 0.0.0-nightly-9e0c2a051-20250108, 0.0.0-nightly-a096ebc81-20240919, 0.0.0-nightly-a26b992a1-20240917, 0.0.0-nightly-a41323a0b-20241011, 0.0.0-nightly-a4e9d2ffa-20241114, 0.0.0-nightly-a5f191b5e-20240820, 0.0.0-nightly-a87b7960c-20250408, 0.0.0-nightly-a9e1d47b6-20240619, 0.0.0-nightly-ab9842614-20241116, 0.0.0-nightly-ac199f437-20241014, 0.0.0-nightly-ac399b7b3-20250201, 0.0.0-nightly-ac5b36cb0-20240626, 0.0.0-nightly-acb339f23-20241031, 0.0.0-nightly-aeb2e174c-20250106, 0.0.0-nightly-aed1b458e-20241124, 0.0.0-nightly-afef30ced-20240729, 0.0.0-nightly-b045242e8-20250117, 0.0.0-nightly-b099df09b-20241106, 0.0.0-nightly-b0dfdc607-20250228, 0.0.0-nightly-b2c8f9c8a-20240522, 0.0.0-nightly-b3ad2a2f7-20250221, 0.0.0-nightly-b604032d8-20240907, 0.0.0-nightly-b64eb837d-20250213, 0.0.0-nightly-b660a7fe2-20241026, 0.0.0-nightly-b7b187661-20250507, 0.0.0-nightly-b8cf1b6e3-20250402, 0.0.0-nightly-bad24c173-20240604, 0.0.0-nightly-bb58afdfd-20240520, 0.0.0-nightly-bc1c1c8ef-20241005, 0.0.0-nightly-bc437079e-20250318, 0.0.0-nightly-bd50e0760-20250405, 0.0.0-nightly-bf23aaf61-20240802, 0.0.0-nightly-bf2bc0544-20250222, 0.0.0-nightly-bf7ecb711-20240911, 0.0.0-nightly-c0f766f34-20250329, 0.0.0-nightly-c1618cd61-20241102, 0.0.0-nightly-c1a2f116c-20241108, 0.0.0-nightly-c34cbeb8b-20240823, 0.0.0-nightly-c364bd450-20250116, 0.0.0-nightly-c3d95f026-20240906, 0.0.0-nightly-c40f7861c-20250409, 0.0.0-nightly-c4c48afc1-20240713, 0.0.0-nightly-c4d590c64-20241104, 0.0.0-nightly-c5b264133-20250115, 0.0.0-nightly-c6420cdda-20241115, 0.0.0-nightly-c72e6df91-20240807, 0.0.0-nightly-c846a2e1e-20240627, 0.0.0-nightly-c9487e672-20241212, 0.0.0-nightly-cd50dc631-20250315, 0.0.0-nightly-cd5681bd2-20250415, 0.0.0-nightly-d07cefedf-20250401, 0.0.0-nightly-d1aaa2d4a-20250426, 0.0.0-nightly-d1bb8941a-20240920, 0.0.0-nightly-d294ab274-20241007, 0.0.0-nightly-d3e913b81-20250301, 0.0.0-nightly-d4127aa37-20240521, 0.0.0-nightly-d5ad0613b-20240620, 0.0.0-nightly-d65827ebb-20241002, 0.0.0-nightly-da617bbed-20241113, 0.0.0-nightly-db577511d-20240925, 0.0.0-nightly-db92c6919-20250104, 0.0.0-nightly-dd3fb69fd-20250508, 0.0.0-nightly-dd520b0ac-20250430, 0.0.0-nightly-dede70577-20250306, 0.0.0-nightly-dfd2d1494-20240716, 0.0.0-nightly-e141f39e0-20241107, 0.0.0-nightly-e3c67ede3-20240815, 0.0.0-nightly-e4a178932-20250509, 0.0.0-nightly-e711f0050-20241230, 0.0.0-nightly-e85f691d1-20240816, 0.0.0-nightly-e93e2b792-20250328, 0.0.0-nightly-ec37db8f4-20240702, 0.0.0-nightly-edb5fbe60-20250501, 0.0.0-nightly-efdf26c3e-20250429, 0.0.0-nightly-f0145cca3-20241203, 0.0.0-nightly-f0cd1c5cc-20241029, 0.0.0-nightly-f1e14a23b-20250320, 0.0.0-nightly-f3a07bb27-20250307, 0.0.0-nightly-f47048541-20240813, 0.0.0-nightly-f763fd2eb-20241122, 0.0.0-nightly-f9f4a27a3-20250211, 0.0.0-nightly-fa0068005-20250131, 0.0.1, 0.10.0, 0.10.1, 0.10.2, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.11.4, 0.11.5, 0.11.6, 0.12.0, 0.12.1, 0.12.2, 0.12.3, 0.12.4, 0.13.0, 0.13.1, 0.13.2, 0.13.3, 0.13.4, 0.13.5, 0.13.6, 0.4.0, 0.4.1, 0.4.2, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.6.0, 0.6.1, 0.7.0, 0.8.0, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.9.5, 1.0.0, 1.0.0-alpha1, 1.0.0-alpha2, 1.0.0-beta1, 1.0.0-beta2, 1.0.0-beta3, 1.0.0-beta4, 1.0.0-rc1, 1.0.0-rc2, 1.0.0-rc3, 1.0.0-rc4, 1.0.1, 1.0.2, 1.0.3, 2.0.0, 2.0.0-rc1, 2.0.0-rc2, 2.0.0-rc3, 2.0.0-rc4, 2.0.0-rc5, 2.0.0-rc6, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.2.4, 2.3.0, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.7.0, 2.8.0, 2.8.1, 3.0.0, 3.0.0-alpha.1, 3.0.0-alpha.2, 3.0.0-alpha.3, 3.0.0-beta.1, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6-pre.0, 3.1.0-rc.1, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 4.0.0, 4.0.0-0, 4.0.0-1, 4.0.0-2, 4.0.0-alpha.3, 4.0.0-alpha.4, 4.0.0-alpha.5, 4.0.0-alpha.6, 4.0.0-beta.1, 4.0.0-beta.2, 4.0.0-beta.3, 4.0.0-beta.4, 4.0.0-beta.5, 4.0.0-beta.6, 4.0.0-beta.7, 4.0.0-beta.8, 4.1.0, 4.1.1, 4.1.2, 4.2.0, 4.3.0, 4.3.0-rc.1, 4.3.0-rc.2, 4.3.0-rc.3, 4.3.1, 4.4.0-alpha.0, 4.4.0-alpha.1, 4.4.0-beta.0, 4.4.0-beta.1, 4.4.0-beta.2, 4.4.0-beta.3, 4.4.0-beta.4, 4.4.0-beta.5, 4.4.0-beta.6, 4.4.0-beta.7, 4.4.0-beta.8, 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.2.1, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 6.0.0-alpha.0, 6.0.0-alpha.1, 6.0.0-alpha.2, 6.0.0-alpha.3, 6.0.0-alpha.4, 6.0.0-alpha.5, 6.0.0-beta.0, 6.0.0-beta.1, 6.0.0-beta.2, 6.0.0-beta.3, 6.0.0-beta.4, 6.0.0-beta.5, 6.0.0-beta.6, 6.0.0-beta.7, 6.0.0-beta.8, 6.30.2, 6.30.3, 6.30.3-pre-v6.0, 7.12.0, 7.13.0, 7.13.0-pre.0, 7.13.1, 7.13.1-pre.0, 7.13.2-pre.0]

Recommendation: Update to version 7.13.1.

React Router has XSS Vulnerability

Published date: 2026-01-08T20:42:20Z

CVE: CVE-2025-59057

Links:

A XSS vulnerability exists in in React Router's meta()/<Meta> APIs in Framework Mode when generating script:ld+json tags which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the tag.

[!NOTE] This does not impact applications using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).

Affected versions: ["7.8.2", "7.8.2-pre.1", "7.8.2-pre.0", "7.8.1", "7.8.1-pre.1", "7.8.1-pre.0", "7.8.0", "7.8.0-pre.3", "7.8.0-pre.2", "7.8.0-pre.1", "7.8.0-pre.0", "7.7.1", "7.7.1-pre.0", "7.7.0", "7.7.0-pre.2", "7.7.0-pre.1", "7.7.0-pre.0", "7.6.3", "7.6.3-pre.0", "7.6.2", "7.6.1", "7.6.1-pre.2", "7.6.1-pre.1", "7.6.1-pre.0", "7.6.0", "7.6.0-pre.0", "7.5.3", "7.5.3-pre.0", "7.5.2", "7.5.1", "7.5.1-pre.0", "7.5.0", "7.5.0-pre.1", "7.5.0-pre.0", "7.4.1", "7.4.1-pre.0", "7.4.0", "7.4.0-pre.0", "7.3.0", "7.3.0-pre.1", "7.3.0-pre.0", "7.2.0", "7.2.0-pre.6", "7.2.0-pre.5", "7.2.0-pre.4", "7.2.0-pre.3", "7.2.0-pre.2", "7.2.0-pre.1", "7.2.0-pre.0", "7.1.5", "7.1.5-pre.0", "7.1.4", "7.1.4-pre.0", "7.1.3", "7.1.3-pre.0", "7.1.2", "7.1.2-pre.0", "7.1.1", "7.1.1-pre.0", "7.1.0", "7.1.0-pre.0", "7.0.2", "7.0.2-pre.0", "7.0.1", "7.0.1-pre.0", "7.0.0"]

Secure versions: [0.0.0, 0.0.0-nightly-004f18fa3-20250118, 0.0.0-nightly-0061b031c-20241012, 0.0.0-nightly-028fe7370-20241224, 0.0.0-nightly-02ade43d5-20250107, 0.0.0-nightly-02b363c76-20241019, 0.0.0-nightly-037474993-20240530, 0.0.0-nightly-03808c631-20240725, 0.0.0-nightly-041701ead-20241222, 0.0.0-nightly-058b57f14-20240621, 0.0.0-nightly-05a94eca8-20240625, 0.0.0-nightly-06e98c3ba-20241120, 0.0.0-nightly-09b52e491-20240606, 0.0.0-nightly-0c08bd001-20250510, 0.0.0-nightly-0ea8e6690-20241206, 0.0.0-nightly-10a1eff90-20241121, 0.0.0-nightly-10a6fd0e1-20240531, 0.0.0-nightly-128652c63-20240622, 0.0.0-nightly-12c37f0f0-20240928, 0.0.0-nightly-135d8d9b1-20240525, 0.0.0-nightly-13df3cec9-20241016, 0.0.0-nightly-14a0face4-20240726, 0.0.0-nightly-14e8e5d1a-20240801, 0.0.0-nightly-183fdb88c-20240730, 0.0.0-nightly-1923f4b0a-20250210, 0.0.0-nightly-1974c2661-20240524, 0.0.0-nightly-1a96ee758-20240912, 0.0.0-nightly-1b103a82e-20241110, 0.0.0-nightly-1c03f313d-20250425, 0.0.0-nightly-1e6b2e162-20250214, 0.0.0-nightly-1fa84a4d4-20241025, 0.0.0-nightly-20f9592ac-20240913, 0.0.0-nightly-21a850a42-20241101, 0.0.0-nightly-242035412-20240921, 0.0.0-nightly-26cc9d914-20240904, 0.0.0-nightly-283fa44bc-20250220, 0.0.0-nightly-2abe5f5e9-20241219, 0.0.0-nightly-2aeb07881-20241103, 0.0.0-nightly-2c5d54de7-20250226, 0.0.0-nightly-2c87a07f8-20250503, 0.0.0-nightly-2d5924f56-20241024, 0.0.0-nightly-2e661fbb4-20250327, 0.0.0-nightly-2f58222ba-20241017, 0.0.0-nightly-30460939b-20250517, 0.0.0-nightly-311e971e9-20240918, 0.0.0-nightly-31a9ad847-20241023, 0.0.0-nightly-329fc0ae0-20241221, 0.0.0-nightly-3acc86586-20241109, 0.0.0-nightly-3be44ecef-20241216, 0.0.0-nightly-3f25ab396-20240704, 0.0.0-nightly-3fdae37ec-20240914, 0.0.0-nightly-4263ec297-20241004, 0.0.0-nightly-428117233-20250418, 0.0.0-nightly-44a456835-20250103, 0.0.0-nightly-47953dd5d-20241123, 0.0.0-nightly-4901f05e2-20240711, 0.0.0-nightly-4996fbe2b-20240629, 0.0.0-nightly-4abec7a1b-20250313, 0.0.0-nightly-4ad69f9d4-20250130, 0.0.0-nightly-4af1d409c-20241118, 0.0.0-nightly-4da1dee21-20250304, 0.0.0-nightly-4db408248-20240910, 0.0.0-nightly-4f885c4f7-20250317, 0.0.0-nightly-5115991bf-20241217, 0.0.0-nightly-520ab610e-20240703, 0.0.0-nightly-5287ffc12-20241105, 0.0.0-nightly-54147a377-20250224, 0.0.0-nightly-5466640fc-20240510, 0.0.0-nightly-54d45d4a7-20250216, 0.0.0-nightly-58439e382-20250227, 0.0.0-nightly-59736e501-20240905, 0.0.0-nightly-5aa77698d-20240828, 0.0.0-nightly-5ab7ff74e-20250314, 0.0.0-nightly-5af3eaa96-20250506, 0.0.0-nightly-5d6f8013e-20250513, 0.0.0-nightly-626bc840a-20240731, 0.0.0-nightly-64e0a0313-20241207, 0.0.0-nightly-65d3d6cde-20240628, 0.0.0-nightly-66613c0c6-20241018, 0.0.0-nightly-68f43b8cd-20241119, 0.0.0-nightly-6b677a71b-20250219, 0.0.0-nightly-6c7c5147c-20241008, 0.0.0-nightly-6df9b21a9-20250218, 0.0.0-nightly-6f2168e82-20250114, 0.0.0-nightly-726b5249a-20250416, 0.0.0-nightly-727bc37b9-20250208, 0.0.0-nightly-73afcdc0d-20240523, 0.0.0-nightly-7583dc758-20250502, 0.0.0-nightly-77b730c0a-20250225, 0.0.0-nightly-7bc242270-20250412, 0.0.0-nightly-7de375944-20250206, 0.0.0-nightly-7fd797a72-20241022, 0.0.0-nightly-80cf6ffad-20250124, 0.0.0-nightly-818d327ce-20241117, 0.0.0-nightly-8389d48e0-20250512, 0.0.0-nightly-854031618-20240819, 0.0.0-nightly-892468ee7-20250212, 0.0.0-nightly-8a5cf097f-20241030, 0.0.0-nightly-8b31f25af-20240926, 0.0.0-nightly-8b821645a-20241214, 0.0.0-nightly-8e4963fae-20250424, 0.0.0-nightly-8f12ed19a-20240924, 0.0.0-nightly-8fc8239ff-20241003, 0.0.0-nightly-8ff4d5fe7-20241204, 0.0.0-nightly-90d6e43a9-20250122, 0.0.0-nightly-90ebbf91d-20240718, 0.0.0-nightly-934427247-20240717, 0.0.0-nightly-96b441bdd-20240511, 0.0.0-nightly-9a3d9fc19-20241205, 0.0.0-nightly-9b3accc5e-20250410, 0.0.0-nightly-9bf91e47c-20240822, 0.0.0-nightly-9e0c2a051-20250108, 0.0.0-nightly-a096ebc81-20240919, 0.0.0-nightly-a26b992a1-20240917, 0.0.0-nightly-a41323a0b-20241011, 0.0.0-nightly-a4e9d2ffa-20241114, 0.0.0-nightly-a5f191b5e-20240820, 0.0.0-nightly-a87b7960c-20250408, 0.0.0-nightly-a9e1d47b6-20240619, 0.0.0-nightly-ab9842614-20241116, 0.0.0-nightly-ac199f437-20241014, 0.0.0-nightly-ac399b7b3-20250201, 0.0.0-nightly-ac5b36cb0-20240626, 0.0.0-nightly-acb339f23-20241031, 0.0.0-nightly-aeb2e174c-20250106, 0.0.0-nightly-aed1b458e-20241124, 0.0.0-nightly-afef30ced-20240729, 0.0.0-nightly-b045242e8-20250117, 0.0.0-nightly-b099df09b-20241106, 0.0.0-nightly-b0dfdc607-20250228, 0.0.0-nightly-b2c8f9c8a-20240522, 0.0.0-nightly-b3ad2a2f7-20250221, 0.0.0-nightly-b604032d8-20240907, 0.0.0-nightly-b64eb837d-20250213, 0.0.0-nightly-b660a7fe2-20241026, 0.0.0-nightly-b7b187661-20250507, 0.0.0-nightly-b8cf1b6e3-20250402, 0.0.0-nightly-bad24c173-20240604, 0.0.0-nightly-bb58afdfd-20240520, 0.0.0-nightly-bc1c1c8ef-20241005, 0.0.0-nightly-bc437079e-20250318, 0.0.0-nightly-bd50e0760-20250405, 0.0.0-nightly-bf23aaf61-20240802, 0.0.0-nightly-bf2bc0544-20250222, 0.0.0-nightly-bf7ecb711-20240911, 0.0.0-nightly-c0f766f34-20250329, 0.0.0-nightly-c1618cd61-20241102, 0.0.0-nightly-c1a2f116c-20241108, 0.0.0-nightly-c34cbeb8b-20240823, 0.0.0-nightly-c364bd450-20250116, 0.0.0-nightly-c3d95f026-20240906, 0.0.0-nightly-c40f7861c-20250409, 0.0.0-nightly-c4c48afc1-20240713, 0.0.0-nightly-c4d590c64-20241104, 0.0.0-nightly-c5b264133-20250115, 0.0.0-nightly-c6420cdda-20241115, 0.0.0-nightly-c72e6df91-20240807, 0.0.0-nightly-c846a2e1e-20240627, 0.0.0-nightly-c9487e672-20241212, 0.0.0-nightly-cd50dc631-20250315, 0.0.0-nightly-cd5681bd2-20250415, 0.0.0-nightly-d07cefedf-20250401, 0.0.0-nightly-d1aaa2d4a-20250426, 0.0.0-nightly-d1bb8941a-20240920, 0.0.0-nightly-d294ab274-20241007, 0.0.0-nightly-d3e913b81-20250301, 0.0.0-nightly-d4127aa37-20240521, 0.0.0-nightly-d5ad0613b-20240620, 0.0.0-nightly-d65827ebb-20241002, 0.0.0-nightly-da617bbed-20241113, 0.0.0-nightly-db577511d-20240925, 0.0.0-nightly-db92c6919-20250104, 0.0.0-nightly-dd3fb69fd-20250508, 0.0.0-nightly-dd520b0ac-20250430, 0.0.0-nightly-dede70577-20250306, 0.0.0-nightly-dfd2d1494-20240716, 0.0.0-nightly-e141f39e0-20241107, 0.0.0-nightly-e3c67ede3-20240815, 0.0.0-nightly-e4a178932-20250509, 0.0.0-nightly-e711f0050-20241230, 0.0.0-nightly-e85f691d1-20240816, 0.0.0-nightly-e93e2b792-20250328, 0.0.0-nightly-ec37db8f4-20240702, 0.0.0-nightly-edb5fbe60-20250501, 0.0.0-nightly-efdf26c3e-20250429, 0.0.0-nightly-f0145cca3-20241203, 0.0.0-nightly-f0cd1c5cc-20241029, 0.0.0-nightly-f1e14a23b-20250320, 0.0.0-nightly-f3a07bb27-20250307, 0.0.0-nightly-f47048541-20240813, 0.0.0-nightly-f763fd2eb-20241122, 0.0.0-nightly-f9f4a27a3-20250211, 0.0.0-nightly-fa0068005-20250131, 0.0.1, 0.10.0, 0.10.1, 0.10.2, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.11.4, 0.11.5, 0.11.6, 0.12.0, 0.12.1, 0.12.2, 0.12.3, 0.12.4, 0.13.0, 0.13.1, 0.13.2, 0.13.3, 0.13.4, 0.13.5, 0.13.6, 0.4.0, 0.4.1, 0.4.2, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.6.0, 0.6.1, 0.7.0, 0.8.0, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.9.5, 1.0.0, 1.0.0-alpha1, 1.0.0-alpha2, 1.0.0-beta1, 1.0.0-beta2, 1.0.0-beta3, 1.0.0-beta4, 1.0.0-rc1, 1.0.0-rc2, 1.0.0-rc3, 1.0.0-rc4, 1.0.1, 1.0.2, 1.0.3, 2.0.0, 2.0.0-rc1, 2.0.0-rc2, 2.0.0-rc3, 2.0.0-rc4, 2.0.0-rc5, 2.0.0-rc6, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.2.4, 2.3.0, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.7.0, 2.8.0, 2.8.1, 3.0.0, 3.0.0-alpha.1, 3.0.0-alpha.2, 3.0.0-alpha.3, 3.0.0-beta.1, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6-pre.0, 3.1.0-rc.1, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 4.0.0, 4.0.0-0, 4.0.0-1, 4.0.0-2, 4.0.0-alpha.3, 4.0.0-alpha.4, 4.0.0-alpha.5, 4.0.0-alpha.6, 4.0.0-beta.1, 4.0.0-beta.2, 4.0.0-beta.3, 4.0.0-beta.4, 4.0.0-beta.5, 4.0.0-beta.6, 4.0.0-beta.7, 4.0.0-beta.8, 4.1.0, 4.1.1, 4.1.2, 4.2.0, 4.3.0, 4.3.0-rc.1, 4.3.0-rc.2, 4.3.0-rc.3, 4.3.1, 4.4.0-alpha.0, 4.4.0-alpha.1, 4.4.0-beta.0, 4.4.0-beta.1, 4.4.0-beta.2, 4.4.0-beta.3, 4.4.0-beta.4, 4.4.0-beta.5, 4.4.0-beta.6, 4.4.0-beta.7, 4.4.0-beta.8, 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.2.1, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 6.0.0-alpha.0, 6.0.0-alpha.1, 6.0.0-alpha.2, 6.0.0-alpha.3, 6.0.0-alpha.4, 6.0.0-alpha.5, 6.0.0-beta.0, 6.0.0-beta.1, 6.0.0-beta.2, 6.0.0-beta.3, 6.0.0-beta.4, 6.0.0-beta.5, 6.0.0-beta.6, 6.0.0-beta.7, 6.0.0-beta.8, 6.30.2, 6.30.3, 6.30.3-pre-v6.0, 7.12.0, 7.13.0, 7.13.0-pre.0, 7.13.1, 7.13.1-pre.0, 7.13.2-pre.0]

Recommendation: Update to version 7.13.1.

React Router SSR XSS in ScrollRestoration

Published date: 2026-01-08T20:50:05Z

CVE: CVE-2026-21884

Links:

A XSS vulnerability exists in in React Router's <ScrollRestoration> API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys.

[!NOTE] This does not impact applications if developers have disabled server-side rendering in Framework Mode, or if they are using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).

Affected versions: ["7.12.0-pre.0", "7.11.0", "7.11.0-pre.0", "7.10.1", "7.10.1-pre.0", "7.10.0", "7.10.0-pre.1", "7.10.0-pre.0", "7.9.6", "7.9.6-pre.1", "7.9.6-pre.0", "7.9.5", "7.9.5-pre.0", "7.9.4", "7.9.4-pre.0", "7.9.3", "7.9.3-pre.0", "7.9.2", "7.9.2-pre.3", "7.9.2-pre.2", "7.9.2-pre.1", "7.9.2-pre.0", "7.9.1", "7.9.1-pre.0", "7.9.0", "7.9.0-pre.1", "7.9.0-pre.0", "7.8.2", "7.8.2-pre.1", "7.8.2-pre.0", "7.8.1", "7.8.1-pre.1", "7.8.1-pre.0", "7.8.0", "7.8.0-pre.3", "7.8.0-pre.2", "7.8.0-pre.1", "7.8.0-pre.0", "7.7.1", "7.7.1-pre.0", "7.7.0", "7.7.0-pre.2", "7.7.0-pre.1", "7.7.0-pre.0", "7.6.3", "7.6.3-pre.0", "7.6.2", "7.6.1", "7.6.1-pre.2", "7.6.1-pre.1", "7.6.1-pre.0", "7.6.0", "7.6.0-pre.0", "7.5.3", "7.5.3-pre.0", "7.5.2", "7.5.1", "7.5.1-pre.0", "7.5.0", "7.5.0-pre.1", "7.5.0-pre.0", "7.4.1", "7.4.1-pre.0", "7.4.0", "7.4.0-pre.0", "7.3.0", "7.3.0-pre.1", "7.3.0-pre.0", "7.2.0", "7.2.0-pre.6", "7.2.0-pre.5", "7.2.0-pre.4", "7.2.0-pre.3", "7.2.0-pre.2", "7.2.0-pre.1", "7.2.0-pre.0", "7.1.5", "7.1.5-pre.0", "7.1.4", "7.1.4-pre.0", "7.1.3", "7.1.3-pre.0", "7.1.2", "7.1.2-pre.0", "7.1.1", "7.1.1-pre.0", "7.1.0", "7.1.0-pre.0", "7.0.2", "7.0.2-pre.0", "7.0.1", "7.0.1-pre.0", "7.0.0"]

Secure versions: [0.0.0, 0.0.0-nightly-004f18fa3-20250118, 0.0.0-nightly-0061b031c-20241012, 0.0.0-nightly-028fe7370-20241224, 0.0.0-nightly-02ade43d5-20250107, 0.0.0-nightly-02b363c76-20241019, 0.0.0-nightly-037474993-20240530, 0.0.0-nightly-03808c631-20240725, 0.0.0-nightly-041701ead-20241222, 0.0.0-nightly-058b57f14-20240621, 0.0.0-nightly-05a94eca8-20240625, 0.0.0-nightly-06e98c3ba-20241120, 0.0.0-nightly-09b52e491-20240606, 0.0.0-nightly-0c08bd001-20250510, 0.0.0-nightly-0ea8e6690-20241206, 0.0.0-nightly-10a1eff90-20241121, 0.0.0-nightly-10a6fd0e1-20240531, 0.0.0-nightly-128652c63-20240622, 0.0.0-nightly-12c37f0f0-20240928, 0.0.0-nightly-135d8d9b1-20240525, 0.0.0-nightly-13df3cec9-20241016, 0.0.0-nightly-14a0face4-20240726, 0.0.0-nightly-14e8e5d1a-20240801, 0.0.0-nightly-183fdb88c-20240730, 0.0.0-nightly-1923f4b0a-20250210, 0.0.0-nightly-1974c2661-20240524, 0.0.0-nightly-1a96ee758-20240912, 0.0.0-nightly-1b103a82e-20241110, 0.0.0-nightly-1c03f313d-20250425, 0.0.0-nightly-1e6b2e162-20250214, 0.0.0-nightly-1fa84a4d4-20241025, 0.0.0-nightly-20f9592ac-20240913, 0.0.0-nightly-21a850a42-20241101, 0.0.0-nightly-242035412-20240921, 0.0.0-nightly-26cc9d914-20240904, 0.0.0-nightly-283fa44bc-20250220, 0.0.0-nightly-2abe5f5e9-20241219, 0.0.0-nightly-2aeb07881-20241103, 0.0.0-nightly-2c5d54de7-20250226, 0.0.0-nightly-2c87a07f8-20250503, 0.0.0-nightly-2d5924f56-20241024, 0.0.0-nightly-2e661fbb4-20250327, 0.0.0-nightly-2f58222ba-20241017, 0.0.0-nightly-30460939b-20250517, 0.0.0-nightly-311e971e9-20240918, 0.0.0-nightly-31a9ad847-20241023, 0.0.0-nightly-329fc0ae0-20241221, 0.0.0-nightly-3acc86586-20241109, 0.0.0-nightly-3be44ecef-20241216, 0.0.0-nightly-3f25ab396-20240704, 0.0.0-nightly-3fdae37ec-20240914, 0.0.0-nightly-4263ec297-20241004, 0.0.0-nightly-428117233-20250418, 0.0.0-nightly-44a456835-20250103, 0.0.0-nightly-47953dd5d-20241123, 0.0.0-nightly-4901f05e2-20240711, 0.0.0-nightly-4996fbe2b-20240629, 0.0.0-nightly-4abec7a1b-20250313, 0.0.0-nightly-4ad69f9d4-20250130, 0.0.0-nightly-4af1d409c-20241118, 0.0.0-nightly-4da1dee21-20250304, 0.0.0-nightly-4db408248-20240910, 0.0.0-nightly-4f885c4f7-20250317, 0.0.0-nightly-5115991bf-20241217, 0.0.0-nightly-520ab610e-20240703, 0.0.0-nightly-5287ffc12-20241105, 0.0.0-nightly-54147a377-20250224, 0.0.0-nightly-5466640fc-20240510, 0.0.0-nightly-54d45d4a7-20250216, 0.0.0-nightly-58439e382-20250227, 0.0.0-nightly-59736e501-20240905, 0.0.0-nightly-5aa77698d-20240828, 0.0.0-nightly-5ab7ff74e-20250314, 0.0.0-nightly-5af3eaa96-20250506, 0.0.0-nightly-5d6f8013e-20250513, 0.0.0-nightly-626bc840a-20240731, 0.0.0-nightly-64e0a0313-20241207, 0.0.0-nightly-65d3d6cde-20240628, 0.0.0-nightly-66613c0c6-20241018, 0.0.0-nightly-68f43b8cd-20241119, 0.0.0-nightly-6b677a71b-20250219, 0.0.0-nightly-6c7c5147c-20241008, 0.0.0-nightly-6df9b21a9-20250218, 0.0.0-nightly-6f2168e82-20250114, 0.0.0-nightly-726b5249a-20250416, 0.0.0-nightly-727bc37b9-20250208, 0.0.0-nightly-73afcdc0d-20240523, 0.0.0-nightly-7583dc758-20250502, 0.0.0-nightly-77b730c0a-20250225, 0.0.0-nightly-7bc242270-20250412, 0.0.0-nightly-7de375944-20250206, 0.0.0-nightly-7fd797a72-20241022, 0.0.0-nightly-80cf6ffad-20250124, 0.0.0-nightly-818d327ce-20241117, 0.0.0-nightly-8389d48e0-20250512, 0.0.0-nightly-854031618-20240819, 0.0.0-nightly-892468ee7-20250212, 0.0.0-nightly-8a5cf097f-20241030, 0.0.0-nightly-8b31f25af-20240926, 0.0.0-nightly-8b821645a-20241214, 0.0.0-nightly-8e4963fae-20250424, 0.0.0-nightly-8f12ed19a-20240924, 0.0.0-nightly-8fc8239ff-20241003, 0.0.0-nightly-8ff4d5fe7-20241204, 0.0.0-nightly-90d6e43a9-20250122, 0.0.0-nightly-90ebbf91d-20240718, 0.0.0-nightly-934427247-20240717, 0.0.0-nightly-96b441bdd-20240511, 0.0.0-nightly-9a3d9fc19-20241205, 0.0.0-nightly-9b3accc5e-20250410, 0.0.0-nightly-9bf91e47c-20240822, 0.0.0-nightly-9e0c2a051-20250108, 0.0.0-nightly-a096ebc81-20240919, 0.0.0-nightly-a26b992a1-20240917, 0.0.0-nightly-a41323a0b-20241011, 0.0.0-nightly-a4e9d2ffa-20241114, 0.0.0-nightly-a5f191b5e-20240820, 0.0.0-nightly-a87b7960c-20250408, 0.0.0-nightly-a9e1d47b6-20240619, 0.0.0-nightly-ab9842614-20241116, 0.0.0-nightly-ac199f437-20241014, 0.0.0-nightly-ac399b7b3-20250201, 0.0.0-nightly-ac5b36cb0-20240626, 0.0.0-nightly-acb339f23-20241031, 0.0.0-nightly-aeb2e174c-20250106, 0.0.0-nightly-aed1b458e-20241124, 0.0.0-nightly-afef30ced-20240729, 0.0.0-nightly-b045242e8-20250117, 0.0.0-nightly-b099df09b-20241106, 0.0.0-nightly-b0dfdc607-20250228, 0.0.0-nightly-b2c8f9c8a-20240522, 0.0.0-nightly-b3ad2a2f7-20250221, 0.0.0-nightly-b604032d8-20240907, 0.0.0-nightly-b64eb837d-20250213, 0.0.0-nightly-b660a7fe2-20241026, 0.0.0-nightly-b7b187661-20250507, 0.0.0-nightly-b8cf1b6e3-20250402, 0.0.0-nightly-bad24c173-20240604, 0.0.0-nightly-bb58afdfd-20240520, 0.0.0-nightly-bc1c1c8ef-20241005, 0.0.0-nightly-bc437079e-20250318, 0.0.0-nightly-bd50e0760-20250405, 0.0.0-nightly-bf23aaf61-20240802, 0.0.0-nightly-bf2bc0544-20250222, 0.0.0-nightly-bf7ecb711-20240911, 0.0.0-nightly-c0f766f34-20250329, 0.0.0-nightly-c1618cd61-20241102, 0.0.0-nightly-c1a2f116c-20241108, 0.0.0-nightly-c34cbeb8b-20240823, 0.0.0-nightly-c364bd450-20250116, 0.0.0-nightly-c3d95f026-20240906, 0.0.0-nightly-c40f7861c-20250409, 0.0.0-nightly-c4c48afc1-20240713, 0.0.0-nightly-c4d590c64-20241104, 0.0.0-nightly-c5b264133-20250115, 0.0.0-nightly-c6420cdda-20241115, 0.0.0-nightly-c72e6df91-20240807, 0.0.0-nightly-c846a2e1e-20240627, 0.0.0-nightly-c9487e672-20241212, 0.0.0-nightly-cd50dc631-20250315, 0.0.0-nightly-cd5681bd2-20250415, 0.0.0-nightly-d07cefedf-20250401, 0.0.0-nightly-d1aaa2d4a-20250426, 0.0.0-nightly-d1bb8941a-20240920, 0.0.0-nightly-d294ab274-20241007, 0.0.0-nightly-d3e913b81-20250301, 0.0.0-nightly-d4127aa37-20240521, 0.0.0-nightly-d5ad0613b-20240620, 0.0.0-nightly-d65827ebb-20241002, 0.0.0-nightly-da617bbed-20241113, 0.0.0-nightly-db577511d-20240925, 0.0.0-nightly-db92c6919-20250104, 0.0.0-nightly-dd3fb69fd-20250508, 0.0.0-nightly-dd520b0ac-20250430, 0.0.0-nightly-dede70577-20250306, 0.0.0-nightly-dfd2d1494-20240716, 0.0.0-nightly-e141f39e0-20241107, 0.0.0-nightly-e3c67ede3-20240815, 0.0.0-nightly-e4a178932-20250509, 0.0.0-nightly-e711f0050-20241230, 0.0.0-nightly-e85f691d1-20240816, 0.0.0-nightly-e93e2b792-20250328, 0.0.0-nightly-ec37db8f4-20240702, 0.0.0-nightly-edb5fbe60-20250501, 0.0.0-nightly-efdf26c3e-20250429, 0.0.0-nightly-f0145cca3-20241203, 0.0.0-nightly-f0cd1c5cc-20241029, 0.0.0-nightly-f1e14a23b-20250320, 0.0.0-nightly-f3a07bb27-20250307, 0.0.0-nightly-f47048541-20240813, 0.0.0-nightly-f763fd2eb-20241122, 0.0.0-nightly-f9f4a27a3-20250211, 0.0.0-nightly-fa0068005-20250131, 0.0.1, 0.10.0, 0.10.1, 0.10.2, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.11.4, 0.11.5, 0.11.6, 0.12.0, 0.12.1, 0.12.2, 0.12.3, 0.12.4, 0.13.0, 0.13.1, 0.13.2, 0.13.3, 0.13.4, 0.13.5, 0.13.6, 0.4.0, 0.4.1, 0.4.2, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.6.0, 0.6.1, 0.7.0, 0.8.0, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.9.5, 1.0.0, 1.0.0-alpha1, 1.0.0-alpha2, 1.0.0-beta1, 1.0.0-beta2, 1.0.0-beta3, 1.0.0-beta4, 1.0.0-rc1, 1.0.0-rc2, 1.0.0-rc3, 1.0.0-rc4, 1.0.1, 1.0.2, 1.0.3, 2.0.0, 2.0.0-rc1, 2.0.0-rc2, 2.0.0-rc3, 2.0.0-rc4, 2.0.0-rc5, 2.0.0-rc6, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.2.4, 2.3.0, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.7.0, 2.8.0, 2.8.1, 3.0.0, 3.0.0-alpha.1, 3.0.0-alpha.2, 3.0.0-alpha.3, 3.0.0-beta.1, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6-pre.0, 3.1.0-rc.1, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 4.0.0, 4.0.0-0, 4.0.0-1, 4.0.0-2, 4.0.0-alpha.3, 4.0.0-alpha.4, 4.0.0-alpha.5, 4.0.0-alpha.6, 4.0.0-beta.1, 4.0.0-beta.2, 4.0.0-beta.3, 4.0.0-beta.4, 4.0.0-beta.5, 4.0.0-beta.6, 4.0.0-beta.7, 4.0.0-beta.8, 4.1.0, 4.1.1, 4.1.2, 4.2.0, 4.3.0, 4.3.0-rc.1, 4.3.0-rc.2, 4.3.0-rc.3, 4.3.1, 4.4.0-alpha.0, 4.4.0-alpha.1, 4.4.0-beta.0, 4.4.0-beta.1, 4.4.0-beta.2, 4.4.0-beta.3, 4.4.0-beta.4, 4.4.0-beta.5, 4.4.0-beta.6, 4.4.0-beta.7, 4.4.0-beta.8, 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.2.1, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 6.0.0-alpha.0, 6.0.0-alpha.1, 6.0.0-alpha.2, 6.0.0-alpha.3, 6.0.0-alpha.4, 6.0.0-alpha.5, 6.0.0-beta.0, 6.0.0-beta.1, 6.0.0-beta.2, 6.0.0-beta.3, 6.0.0-beta.4, 6.0.0-beta.5, 6.0.0-beta.6, 6.0.0-beta.7, 6.0.0-beta.8, 6.30.2, 6.30.3, 6.30.3-pre-v6.0, 7.12.0, 7.13.0, 7.13.0-pre.0, 7.13.1, 7.13.1-pre.0, 7.13.2-pre.0]

Recommendation: Update to version 7.13.1.

React Router has unexpected external redirect via untrusted paths

Published date: 2026-01-08T20:48:21Z

CVE: CVE-2025-68470

Links:

An attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate(), <Link>, or redirect(), the app performs a navigation/redirect to an external URL. This is only an issue if developers pass untrusted content into navigation paths in their application code.

Affected versions: ["7.9.6-pre.1", "7.9.6-pre.0", "7.9.5", "7.9.5-pre.0", "7.9.4", "7.9.4-pre.0", "7.9.3", "7.9.3-pre.0", "7.9.2", "7.9.2-pre.3", "7.9.2-pre.2", "7.9.2-pre.1", "7.9.2-pre.0", "7.9.1", "7.9.1-pre.0", "7.9.0", "7.9.0-pre.1", "7.9.0-pre.0", "7.8.2", "7.8.2-pre.1", "7.8.2-pre.0", "7.8.1", "7.8.1-pre.1", "7.8.1-pre.0", "7.8.0", "7.8.0-pre.3", "7.8.0-pre.2", "7.8.0-pre.1", "7.8.0-pre.0", "7.7.1", "7.7.1-pre.0", "7.7.0", "7.7.0-pre.2", "7.7.0-pre.1", "7.7.0-pre.0", "7.6.3", "7.6.3-pre.0", "7.6.2", "7.6.1", "7.6.1-pre.2", "7.6.1-pre.1", "7.6.1-pre.0", "7.6.0", "7.6.0-pre.0", "7.5.3", "7.5.3-pre.0", "7.5.2", "7.5.1", "7.5.1-pre.0", "7.5.0", "7.5.0-pre.1", "7.5.0-pre.0", "7.4.1", "7.4.1-pre.0", "7.4.0", "7.4.0-pre.0", "7.3.0", "7.3.0-pre.1", "7.3.0-pre.0", "7.2.0", "7.2.0-pre.6", "7.2.0-pre.5", "7.2.0-pre.4", "7.2.0-pre.3", "7.2.0-pre.2", "7.2.0-pre.1", "7.2.0-pre.0", "7.1.5", "7.1.5-pre.0", "7.1.4", "7.1.4-pre.0", "7.1.3", "7.1.3-pre.0", "7.1.2", "7.1.2-pre.0", "7.1.1", "7.1.1-pre.0", "7.1.0", "7.1.0-pre.0", "7.0.2", "7.0.2-pre.0", "7.0.1", "7.0.1-pre.0", "7.0.0", "6.30.2-pre-v6.0", "6.30.1", "6.30.0", "6.30.0-pre-v6.0", "6.29.0", "6.29.0-pre-v6.2", "6.28.3-pre-v6.1", "6.28.3-pre-v6.0", "6.28.2", "6.28.2-pre.0", "6.28.1", "6.28.1-pre.0", "6.28.0", "6.28.0-pre.0", "6.27.0", "6.27.0-pre.1", "6.27.0-pre.0", "6.26.2", "6.26.2-pre.0", "6.26.1", "6.26.1-pre.0", "6.26.0", "6.26.0-pre.1", "6.26.0-pre.0", "6.25.1", "6.25.1-pre.0", "6.25.0", "6.25.0-pre.0", "6.24.1", "6.24.1-pre.0", "6.24.0", "6.24.0-pre.0", "6.23.1", "6.23.1-pre.1", "6.23.1-pre.0", "6.23.0", "6.23.0-pre.1", "6.23.0-pre.0", "6.22.3", "6.22.3-pre.0", "6.22.2", "6.22.2-pre.0", "6.22.1", "6.22.1-pre.0", "6.22.0", "6.22.0-pre.0", "6.21.3", "6.21.3-pre.0", "6.21.2", "6.21.2-pre.0", "6.21.1", "6.21.1-pre.0", "6.21.0", "6.21.0-pre.3", "6.21.0-pre.2", "6.21.0-pre.1", "6.21.0-pre.0", "6.20.1", "6.20.1-pre.0", "6.20.0", "6.20.0-pre.0", "6.19.0", "6.19.0-pre.0", "6.18.0", "6.18.0-pre.1", "6.18.0-pre.0", "6.17.0", "6.17.0-pre.2", "6.17.0-pre.1", "6.17.0-pre.0", "6.16.0", "6.16.0-pre.2", "6.16.0-pre.1", "6.16.0-pre.0", "6.15.0", "6.15.0-pre.0", "6.14.2", "6.14.2-pre.1", "6.14.2-pre.0", "6.14.1", "6.14.1-pre.1", "6.14.1-pre.0", "6.14.0", "6.14.0-pre.1", "6.14.0-pre.0", "6.13.0", "6.13.0-pre.1", "6.12.2-pre.0", "6.12.1", "6.12.1-pre.0", "6.12.0", "6.12.0-pre.1", "6.12.0-pre.0", "6.11.2", "6.11.2-pre.0", "6.11.1", "6.11.1-pre.0", "6.11.0", "6.11.0-pre.2", "6.11.0-pre.1", "6.11.0-pre.0", "6.10.0", "6.10.0-pre.2", "6.10.0-pre.1", "6.10.0-pre.0", "6.9.0", "6.9.0-pre.0", "6.8.2", "6.8.2-pre.3", "6.8.2-pre.2", "6.8.2-pre.1", "6.8.2-pre.0", "6.8.1", "6.8.1-pre.0", "6.8.0", "6.8.0-pre.1", "6.7.1-pre.0", "6.7.0", "6.7.0-pre.5", "6.7.0-pre.4", "6.7.0-pre.3", "6.7.0-pre.2", "6.7.0-pre.1", "6.6.3-pre.0", "6.6.2", "6.6.2-pre.0", "6.6.1", "6.6.1-pre.1", "6.6.1-pre.0", "6.6.0", "6.6.0-pre.0", "6.5.0", "6.5.0-pre.1", "6.5.0-pre.0", "6.4.5", "6.4.5-pre.2", "6.4.5-pre.1", "6.4.5-pre.0", "6.4.4", "6.4.4-pre.2", "6.4.4-pre.1", "6.4.4-pre.0", "6.4.3", "6.4.3-pre.2", "6.4.3-pre.1", "6.4.3-pre.0", "6.4.2", "6.4.2-pre.1", "6.4.2-pre.0", "6.4.1", "6.4.1-pre.0", "6.4.0", "6.4.0-pre.15", "6.4.0-pre.14", "6.4.0-pre.13", "6.4.0-pre.12", "6.4.0-pre.11", "6.4.0-pre.10", "6.4.0-pre.9", "6.4.0-pre.8", "6.4.0-pre.7", "6.4.0-pre.6", "6.4.0-pre.5", "6.4.0-pre.4", "6.4.0-pre.3", "6.4.0-pre.2", "6.4.0-pre.0", "6.3.0", "6.2.2", "6.2.2-pre.0", "6.2.1", "6.2.0", "6.1.1", "6.1.0", "6.0.2", "6.0.1", "6.0.0"]

Secure versions: [0.0.0, 0.0.0-nightly-004f18fa3-20250118, 0.0.0-nightly-0061b031c-20241012, 0.0.0-nightly-028fe7370-20241224, 0.0.0-nightly-02ade43d5-20250107, 0.0.0-nightly-02b363c76-20241019, 0.0.0-nightly-037474993-20240530, 0.0.0-nightly-03808c631-20240725, 0.0.0-nightly-041701ead-20241222, 0.0.0-nightly-058b57f14-20240621, 0.0.0-nightly-05a94eca8-20240625, 0.0.0-nightly-06e98c3ba-20241120, 0.0.0-nightly-09b52e491-20240606, 0.0.0-nightly-0c08bd001-20250510, 0.0.0-nightly-0ea8e6690-20241206, 0.0.0-nightly-10a1eff90-20241121, 0.0.0-nightly-10a6fd0e1-20240531, 0.0.0-nightly-128652c63-20240622, 0.0.0-nightly-12c37f0f0-20240928, 0.0.0-nightly-135d8d9b1-20240525, 0.0.0-nightly-13df3cec9-20241016, 0.0.0-nightly-14a0face4-20240726, 0.0.0-nightly-14e8e5d1a-20240801, 0.0.0-nightly-183fdb88c-20240730, 0.0.0-nightly-1923f4b0a-20250210, 0.0.0-nightly-1974c2661-20240524, 0.0.0-nightly-1a96ee758-20240912, 0.0.0-nightly-1b103a82e-20241110, 0.0.0-nightly-1c03f313d-20250425, 0.0.0-nightly-1e6b2e162-20250214, 0.0.0-nightly-1fa84a4d4-20241025, 0.0.0-nightly-20f9592ac-20240913, 0.0.0-nightly-21a850a42-20241101, 0.0.0-nightly-242035412-20240921, 0.0.0-nightly-26cc9d914-20240904, 0.0.0-nightly-283fa44bc-20250220, 0.0.0-nightly-2abe5f5e9-20241219, 0.0.0-nightly-2aeb07881-20241103, 0.0.0-nightly-2c5d54de7-20250226, 0.0.0-nightly-2c87a07f8-20250503, 0.0.0-nightly-2d5924f56-20241024, 0.0.0-nightly-2e661fbb4-20250327, 0.0.0-nightly-2f58222ba-20241017, 0.0.0-nightly-30460939b-20250517, 0.0.0-nightly-311e971e9-20240918, 0.0.0-nightly-31a9ad847-20241023, 0.0.0-nightly-329fc0ae0-20241221, 0.0.0-nightly-3acc86586-20241109, 0.0.0-nightly-3be44ecef-20241216, 0.0.0-nightly-3f25ab396-20240704, 0.0.0-nightly-3fdae37ec-20240914, 0.0.0-nightly-4263ec297-20241004, 0.0.0-nightly-428117233-20250418, 0.0.0-nightly-44a456835-20250103, 0.0.0-nightly-47953dd5d-20241123, 0.0.0-nightly-4901f05e2-20240711, 0.0.0-nightly-4996fbe2b-20240629, 0.0.0-nightly-4abec7a1b-20250313, 0.0.0-nightly-4ad69f9d4-20250130, 0.0.0-nightly-4af1d409c-20241118, 0.0.0-nightly-4da1dee21-20250304, 0.0.0-nightly-4db408248-20240910, 0.0.0-nightly-4f885c4f7-20250317, 0.0.0-nightly-5115991bf-20241217, 0.0.0-nightly-520ab610e-20240703, 0.0.0-nightly-5287ffc12-20241105, 0.0.0-nightly-54147a377-20250224, 0.0.0-nightly-5466640fc-20240510, 0.0.0-nightly-54d45d4a7-20250216, 0.0.0-nightly-58439e382-20250227, 0.0.0-nightly-59736e501-20240905, 0.0.0-nightly-5aa77698d-20240828, 0.0.0-nightly-5ab7ff74e-20250314, 0.0.0-nightly-5af3eaa96-20250506, 0.0.0-nightly-5d6f8013e-20250513, 0.0.0-nightly-626bc840a-20240731, 0.0.0-nightly-64e0a0313-20241207, 0.0.0-nightly-65d3d6cde-20240628, 0.0.0-nightly-66613c0c6-20241018, 0.0.0-nightly-68f43b8cd-20241119, 0.0.0-nightly-6b677a71b-20250219, 0.0.0-nightly-6c7c5147c-20241008, 0.0.0-nightly-6df9b21a9-20250218, 0.0.0-nightly-6f2168e82-20250114, 0.0.0-nightly-726b5249a-20250416, 0.0.0-nightly-727bc37b9-20250208, 0.0.0-nightly-73afcdc0d-20240523, 0.0.0-nightly-7583dc758-20250502, 0.0.0-nightly-77b730c0a-20250225, 0.0.0-nightly-7bc242270-20250412, 0.0.0-nightly-7de375944-20250206, 0.0.0-nightly-7fd797a72-20241022, 0.0.0-nightly-80cf6ffad-20250124, 0.0.0-nightly-818d327ce-20241117, 0.0.0-nightly-8389d48e0-20250512, 0.0.0-nightly-854031618-20240819, 0.0.0-nightly-892468ee7-20250212, 0.0.0-nightly-8a5cf097f-20241030, 0.0.0-nightly-8b31f25af-20240926, 0.0.0-nightly-8b821645a-20241214, 0.0.0-nightly-8e4963fae-20250424, 0.0.0-nightly-8f12ed19a-20240924, 0.0.0-nightly-8fc8239ff-20241003, 0.0.0-nightly-8ff4d5fe7-20241204, 0.0.0-nightly-90d6e43a9-20250122, 0.0.0-nightly-90ebbf91d-20240718, 0.0.0-nightly-934427247-20240717, 0.0.0-nightly-96b441bdd-20240511, 0.0.0-nightly-9a3d9fc19-20241205, 0.0.0-nightly-9b3accc5e-20250410, 0.0.0-nightly-9bf91e47c-20240822, 0.0.0-nightly-9e0c2a051-20250108, 0.0.0-nightly-a096ebc81-20240919, 0.0.0-nightly-a26b992a1-20240917, 0.0.0-nightly-a41323a0b-20241011, 0.0.0-nightly-a4e9d2ffa-20241114, 0.0.0-nightly-a5f191b5e-20240820, 0.0.0-nightly-a87b7960c-20250408, 0.0.0-nightly-a9e1d47b6-20240619, 0.0.0-nightly-ab9842614-20241116, 0.0.0-nightly-ac199f437-20241014, 0.0.0-nightly-ac399b7b3-20250201, 0.0.0-nightly-ac5b36cb0-20240626, 0.0.0-nightly-acb339f23-20241031, 0.0.0-nightly-aeb2e174c-20250106, 0.0.0-nightly-aed1b458e-20241124, 0.0.0-nightly-afef30ced-20240729, 0.0.0-nightly-b045242e8-20250117, 0.0.0-nightly-b099df09b-20241106, 0.0.0-nightly-b0dfdc607-20250228, 0.0.0-nightly-b2c8f9c8a-20240522, 0.0.0-nightly-b3ad2a2f7-20250221, 0.0.0-nightly-b604032d8-20240907, 0.0.0-nightly-b64eb837d-20250213, 0.0.0-nightly-b660a7fe2-20241026, 0.0.0-nightly-b7b187661-20250507, 0.0.0-nightly-b8cf1b6e3-20250402, 0.0.0-nightly-bad24c173-20240604, 0.0.0-nightly-bb58afdfd-20240520, 0.0.0-nightly-bc1c1c8ef-20241005, 0.0.0-nightly-bc437079e-20250318, 0.0.0-nightly-bd50e0760-20250405, 0.0.0-nightly-bf23aaf61-20240802, 0.0.0-nightly-bf2bc0544-20250222, 0.0.0-nightly-bf7ecb711-20240911, 0.0.0-nightly-c0f766f34-20250329, 0.0.0-nightly-c1618cd61-20241102, 0.0.0-nightly-c1a2f116c-20241108, 0.0.0-nightly-c34cbeb8b-20240823, 0.0.0-nightly-c364bd450-20250116, 0.0.0-nightly-c3d95f026-20240906, 0.0.0-nightly-c40f7861c-20250409, 0.0.0-nightly-c4c48afc1-20240713, 0.0.0-nightly-c4d590c64-20241104, 0.0.0-nightly-c5b264133-20250115, 0.0.0-nightly-c6420cdda-20241115, 0.0.0-nightly-c72e6df91-20240807, 0.0.0-nightly-c846a2e1e-20240627, 0.0.0-nightly-c9487e672-20241212, 0.0.0-nightly-cd50dc631-20250315, 0.0.0-nightly-cd5681bd2-20250415, 0.0.0-nightly-d07cefedf-20250401, 0.0.0-nightly-d1aaa2d4a-20250426, 0.0.0-nightly-d1bb8941a-20240920, 0.0.0-nightly-d294ab274-20241007, 0.0.0-nightly-d3e913b81-20250301, 0.0.0-nightly-d4127aa37-20240521, 0.0.0-nightly-d5ad0613b-20240620, 0.0.0-nightly-d65827ebb-20241002, 0.0.0-nightly-da617bbed-20241113, 0.0.0-nightly-db577511d-20240925, 0.0.0-nightly-db92c6919-20250104, 0.0.0-nightly-dd3fb69fd-20250508, 0.0.0-nightly-dd520b0ac-20250430, 0.0.0-nightly-dede70577-20250306, 0.0.0-nightly-dfd2d1494-20240716, 0.0.0-nightly-e141f39e0-20241107, 0.0.0-nightly-e3c67ede3-20240815, 0.0.0-nightly-e4a178932-20250509, 0.0.0-nightly-e711f0050-20241230, 0.0.0-nightly-e85f691d1-20240816, 0.0.0-nightly-e93e2b792-20250328, 0.0.0-nightly-ec37db8f4-20240702, 0.0.0-nightly-edb5fbe60-20250501, 0.0.0-nightly-efdf26c3e-20250429, 0.0.0-nightly-f0145cca3-20241203, 0.0.0-nightly-f0cd1c5cc-20241029, 0.0.0-nightly-f1e14a23b-20250320, 0.0.0-nightly-f3a07bb27-20250307, 0.0.0-nightly-f47048541-20240813, 0.0.0-nightly-f763fd2eb-20241122, 0.0.0-nightly-f9f4a27a3-20250211, 0.0.0-nightly-fa0068005-20250131, 0.0.1, 0.10.0, 0.10.1, 0.10.2, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.11.4, 0.11.5, 0.11.6, 0.12.0, 0.12.1, 0.12.2, 0.12.3, 0.12.4, 0.13.0, 0.13.1, 0.13.2, 0.13.3, 0.13.4, 0.13.5, 0.13.6, 0.4.0, 0.4.1, 0.4.2, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.6.0, 0.6.1, 0.7.0, 0.8.0, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.9.5, 1.0.0, 1.0.0-alpha1, 1.0.0-alpha2, 1.0.0-beta1, 1.0.0-beta2, 1.0.0-beta3, 1.0.0-beta4, 1.0.0-rc1, 1.0.0-rc2, 1.0.0-rc3, 1.0.0-rc4, 1.0.1, 1.0.2, 1.0.3, 2.0.0, 2.0.0-rc1, 2.0.0-rc2, 2.0.0-rc3, 2.0.0-rc4, 2.0.0-rc5, 2.0.0-rc6, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.2.4, 2.3.0, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.7.0, 2.8.0, 2.8.1, 3.0.0, 3.0.0-alpha.1, 3.0.0-alpha.2, 3.0.0-alpha.3, 3.0.0-beta.1, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6-pre.0, 3.1.0-rc.1, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 4.0.0, 4.0.0-0, 4.0.0-1, 4.0.0-2, 4.0.0-alpha.3, 4.0.0-alpha.4, 4.0.0-alpha.5, 4.0.0-alpha.6, 4.0.0-beta.1, 4.0.0-beta.2, 4.0.0-beta.3, 4.0.0-beta.4, 4.0.0-beta.5, 4.0.0-beta.6, 4.0.0-beta.7, 4.0.0-beta.8, 4.1.0, 4.1.1, 4.1.2, 4.2.0, 4.3.0, 4.3.0-rc.1, 4.3.0-rc.2, 4.3.0-rc.3, 4.3.1, 4.4.0-alpha.0, 4.4.0-alpha.1, 4.4.0-beta.0, 4.4.0-beta.1, 4.4.0-beta.2, 4.4.0-beta.3, 4.4.0-beta.4, 4.4.0-beta.5, 4.4.0-beta.6, 4.4.0-beta.7, 4.4.0-beta.8, 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.2.1, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 6.0.0-alpha.0, 6.0.0-alpha.1, 6.0.0-alpha.2, 6.0.0-alpha.3, 6.0.0-alpha.4, 6.0.0-alpha.5, 6.0.0-beta.0, 6.0.0-beta.1, 6.0.0-beta.2, 6.0.0-beta.3, 6.0.0-beta.4, 6.0.0-beta.5, 6.0.0-beta.6, 6.0.0-beta.7, 6.0.0-beta.8, 6.30.2, 6.30.3, 6.30.3-pre-v6.0, 7.12.0, 7.13.0, 7.13.0-pre.0, 7.13.1, 7.13.1-pre.0, 7.13.2-pre.0]

Recommendation: Update to version 7.13.1.

React Router allows pre-render data spoofing on React-Router framework mode

Published date: 2025-04-24T16:31:32Z

CVE: CVE-2025-43865

Links:

Summary

After some research, it turns out that it's possible to modify pre-rendered data by adding a header to the request. This allows to completely spoof its contents and modify all the values of the data object passed to the HTML. Latest versions are impacted.

Details

The vulnerable header is X-React-Router-Prerender-Data, a specific JSON object must be passed to it in order for the spoofing to be successful as we will see shortly. Here is the vulnerable code :

Capture d’écran 2025-04-07 à 05 36 58

To use the header, React-router must be used in Framework mode, and for the attack to be possible the target page must use a loader.

Steps to reproduce

Versions used for our PoC: - @react-router/node: ^7.5.0, - @react-router/serve: ^7.5.0, - react: ^19.0.0 - react-dom: ^19.0.0 - react-router: ^7.5.0

Install React-Router with its default configuration in Framework mode (https://reactrouter.com/start/framework/installation)
Add a simple page using a loader (example: routes/ssr)
Access your page (which uses the loader) by suffixing it with .data. In our case the page is called /ssr:

We access it by adding the suffix .data and retrieve the data object, needed for the header:

Send your request by adding the X-React-Router-Prerender-Data header with the previously retrieved object as its value. You can change any value of your data object (do not touch the other values, the latter being necessary for the object to be processed correctly and not throw an error):

Capture d’écran 2025-04-07 à 05 56 10

As you can see, all values have been changed/overwritten by the values provided via the header.

Impact

The impact is significant, if a cache system is in place, it is possible to poison a response in which all of the data transmitted via a loader would be altered by an attacker allowing him to take control of the content of the page and modify it as he wishes via a cache-poisoning attack. This can lead to several types of attacks including potential stored XSS depending on the context in which the data is injected and/or how the data is used on the client-side.

Credits

Rachid Allam (zhero;)
Yasser Allam (inzo_)

Affected versions: ["7.5.1", "7.5.1-pre.0", "7.5.0", "7.5.0-pre.1", "7.5.0-pre.0", "7.4.1", "7.4.1-pre.0", "7.4.0", "7.4.0-pre.0", "7.3.0", "7.3.0-pre.1", "7.3.0-pre.0", "7.2.0", "7.2.0-pre.6", "7.2.0-pre.5", "7.2.0-pre.4", "7.2.0-pre.3", "7.2.0-pre.2", "7.2.0-pre.1", "7.2.0-pre.0", "7.1.5", "7.1.5-pre.0", "7.1.4", "7.1.4-pre.0", "7.1.3", "7.1.3-pre.0", "7.1.2", "7.1.2-pre.0", "7.1.1", "7.1.1-pre.0", "7.1.0", "7.1.0-pre.0", "7.0.2", "7.0.2-pre.0", "7.0.1", "7.0.1-pre.0", "7.0.0", "7.0.0-pre.6", "7.0.0-pre.5", "7.0.0-pre.4", "7.0.0-pre.3", "7.0.0-pre.2", "7.0.0-pre.1", "7.0.0-pre.0"]

Secure versions: [0.0.0, 0.0.0-nightly-004f18fa3-20250118, 0.0.0-nightly-0061b031c-20241012, 0.0.0-nightly-028fe7370-20241224, 0.0.0-nightly-02ade43d5-20250107, 0.0.0-nightly-02b363c76-20241019, 0.0.0-nightly-037474993-20240530, 0.0.0-nightly-03808c631-20240725, 0.0.0-nightly-041701ead-20241222, 0.0.0-nightly-058b57f14-20240621, 0.0.0-nightly-05a94eca8-20240625, 0.0.0-nightly-06e98c3ba-20241120, 0.0.0-nightly-09b52e491-20240606, 0.0.0-nightly-0c08bd001-20250510, 0.0.0-nightly-0ea8e6690-20241206, 0.0.0-nightly-10a1eff90-20241121, 0.0.0-nightly-10a6fd0e1-20240531, 0.0.0-nightly-128652c63-20240622, 0.0.0-nightly-12c37f0f0-20240928, 0.0.0-nightly-135d8d9b1-20240525, 0.0.0-nightly-13df3cec9-20241016, 0.0.0-nightly-14a0face4-20240726, 0.0.0-nightly-14e8e5d1a-20240801, 0.0.0-nightly-183fdb88c-20240730, 0.0.0-nightly-1923f4b0a-20250210, 0.0.0-nightly-1974c2661-20240524, 0.0.0-nightly-1a96ee758-20240912, 0.0.0-nightly-1b103a82e-20241110, 0.0.0-nightly-1c03f313d-20250425, 0.0.0-nightly-1e6b2e162-20250214, 0.0.0-nightly-1fa84a4d4-20241025, 0.0.0-nightly-20f9592ac-20240913, 0.0.0-nightly-21a850a42-20241101, 0.0.0-nightly-242035412-20240921, 0.0.0-nightly-26cc9d914-20240904, 0.0.0-nightly-283fa44bc-20250220, 0.0.0-nightly-2abe5f5e9-20241219, 0.0.0-nightly-2aeb07881-20241103, 0.0.0-nightly-2c5d54de7-20250226, 0.0.0-nightly-2c87a07f8-20250503, 0.0.0-nightly-2d5924f56-20241024, 0.0.0-nightly-2e661fbb4-20250327, 0.0.0-nightly-2f58222ba-20241017, 0.0.0-nightly-30460939b-20250517, 0.0.0-nightly-311e971e9-20240918, 0.0.0-nightly-31a9ad847-20241023, 0.0.0-nightly-329fc0ae0-20241221, 0.0.0-nightly-3acc86586-20241109, 0.0.0-nightly-3be44ecef-20241216, 0.0.0-nightly-3f25ab396-20240704, 0.0.0-nightly-3fdae37ec-20240914, 0.0.0-nightly-4263ec297-20241004, 0.0.0-nightly-428117233-20250418, 0.0.0-nightly-44a456835-20250103, 0.0.0-nightly-47953dd5d-20241123, 0.0.0-nightly-4901f05e2-20240711, 0.0.0-nightly-4996fbe2b-20240629, 0.0.0-nightly-4abec7a1b-20250313, 0.0.0-nightly-4ad69f9d4-20250130, 0.0.0-nightly-4af1d409c-20241118, 0.0.0-nightly-4da1dee21-20250304, 0.0.0-nightly-4db408248-20240910, 0.0.0-nightly-4f885c4f7-20250317, 0.0.0-nightly-5115991bf-20241217, 0.0.0-nightly-520ab610e-20240703, 0.0.0-nightly-5287ffc12-20241105, 0.0.0-nightly-54147a377-20250224, 0.0.0-nightly-5466640fc-20240510, 0.0.0-nightly-54d45d4a7-20250216, 0.0.0-nightly-58439e382-20250227, 0.0.0-nightly-59736e501-20240905, 0.0.0-nightly-5aa77698d-20240828, 0.0.0-nightly-5ab7ff74e-20250314, 0.0.0-nightly-5af3eaa96-20250506, 0.0.0-nightly-5d6f8013e-20250513, 0.0.0-nightly-626bc840a-20240731, 0.0.0-nightly-64e0a0313-20241207, 0.0.0-nightly-65d3d6cde-20240628, 0.0.0-nightly-66613c0c6-20241018, 0.0.0-nightly-68f43b8cd-20241119, 0.0.0-nightly-6b677a71b-20250219, 0.0.0-nightly-6c7c5147c-20241008, 0.0.0-nightly-6df9b21a9-20250218, 0.0.0-nightly-6f2168e82-20250114, 0.0.0-nightly-726b5249a-20250416, 0.0.0-nightly-727bc37b9-20250208, 0.0.0-nightly-73afcdc0d-20240523, 0.0.0-nightly-7583dc758-20250502, 0.0.0-nightly-77b730c0a-20250225, 0.0.0-nightly-7bc242270-20250412, 0.0.0-nightly-7de375944-20250206, 0.0.0-nightly-7fd797a72-20241022, 0.0.0-nightly-80cf6ffad-20250124, 0.0.0-nightly-818d327ce-20241117, 0.0.0-nightly-8389d48e0-20250512, 0.0.0-nightly-854031618-20240819, 0.0.0-nightly-892468ee7-20250212, 0.0.0-nightly-8a5cf097f-20241030, 0.0.0-nightly-8b31f25af-20240926, 0.0.0-nightly-8b821645a-20241214, 0.0.0-nightly-8e4963fae-20250424, 0.0.0-nightly-8f12ed19a-20240924, 0.0.0-nightly-8fc8239ff-20241003, 0.0.0-nightly-8ff4d5fe7-20241204, 0.0.0-nightly-90d6e43a9-20250122, 0.0.0-nightly-90ebbf91d-20240718, 0.0.0-nightly-934427247-20240717, 0.0.0-nightly-96b441bdd-20240511, 0.0.0-nightly-9a3d9fc19-20241205, 0.0.0-nightly-9b3accc5e-20250410, 0.0.0-nightly-9bf91e47c-20240822, 0.0.0-nightly-9e0c2a051-20250108, 0.0.0-nightly-a096ebc81-20240919, 0.0.0-nightly-a26b992a1-20240917, 0.0.0-nightly-a41323a0b-20241011, 0.0.0-nightly-a4e9d2ffa-20241114, 0.0.0-nightly-a5f191b5e-20240820, 0.0.0-nightly-a87b7960c-20250408, 0.0.0-nightly-a9e1d47b6-20240619, 0.0.0-nightly-ab9842614-20241116, 0.0.0-nightly-ac199f437-20241014, 0.0.0-nightly-ac399b7b3-20250201, 0.0.0-nightly-ac5b36cb0-20240626, 0.0.0-nightly-acb339f23-20241031, 0.0.0-nightly-aeb2e174c-20250106, 0.0.0-nightly-aed1b458e-20241124, 0.0.0-nightly-afef30ced-20240729, 0.0.0-nightly-b045242e8-20250117, 0.0.0-nightly-b099df09b-20241106, 0.0.0-nightly-b0dfdc607-20250228, 0.0.0-nightly-b2c8f9c8a-20240522, 0.0.0-nightly-b3ad2a2f7-20250221, 0.0.0-nightly-b604032d8-20240907, 0.0.0-nightly-b64eb837d-20250213, 0.0.0-nightly-b660a7fe2-20241026, 0.0.0-nightly-b7b187661-20250507, 0.0.0-nightly-b8cf1b6e3-20250402, 0.0.0-nightly-bad24c173-20240604, 0.0.0-nightly-bb58afdfd-20240520, 0.0.0-nightly-bc1c1c8ef-20241005, 0.0.0-nightly-bc437079e-20250318, 0.0.0-nightly-bd50e0760-20250405, 0.0.0-nightly-bf23aaf61-20240802, 0.0.0-nightly-bf2bc0544-20250222, 0.0.0-nightly-bf7ecb711-20240911, 0.0.0-nightly-c0f766f34-20250329, 0.0.0-nightly-c1618cd61-20241102, 0.0.0-nightly-c1a2f116c-20241108, 0.0.0-nightly-c34cbeb8b-20240823, 0.0.0-nightly-c364bd450-20250116, 0.0.0-nightly-c3d95f026-20240906, 0.0.0-nightly-c40f7861c-20250409, 0.0.0-nightly-c4c48afc1-20240713, 0.0.0-nightly-c4d590c64-20241104, 0.0.0-nightly-c5b264133-20250115, 0.0.0-nightly-c6420cdda-20241115, 0.0.0-nightly-c72e6df91-20240807, 0.0.0-nightly-c846a2e1e-20240627, 0.0.0-nightly-c9487e672-20241212, 0.0.0-nightly-cd50dc631-20250315, 0.0.0-nightly-cd5681bd2-20250415, 0.0.0-nightly-d07cefedf-20250401, 0.0.0-nightly-d1aaa2d4a-20250426, 0.0.0-nightly-d1bb8941a-20240920, 0.0.0-nightly-d294ab274-20241007, 0.0.0-nightly-d3e913b81-20250301, 0.0.0-nightly-d4127aa37-20240521, 0.0.0-nightly-d5ad0613b-20240620, 0.0.0-nightly-d65827ebb-20241002, 0.0.0-nightly-da617bbed-20241113, 0.0.0-nightly-db577511d-20240925, 0.0.0-nightly-db92c6919-20250104, 0.0.0-nightly-dd3fb69fd-20250508, 0.0.0-nightly-dd520b0ac-20250430, 0.0.0-nightly-dede70577-20250306, 0.0.0-nightly-dfd2d1494-20240716, 0.0.0-nightly-e141f39e0-20241107, 0.0.0-nightly-e3c67ede3-20240815, 0.0.0-nightly-e4a178932-20250509, 0.0.0-nightly-e711f0050-20241230, 0.0.0-nightly-e85f691d1-20240816, 0.0.0-nightly-e93e2b792-20250328, 0.0.0-nightly-ec37db8f4-20240702, 0.0.0-nightly-edb5fbe60-20250501, 0.0.0-nightly-efdf26c3e-20250429, 0.0.0-nightly-f0145cca3-20241203, 0.0.0-nightly-f0cd1c5cc-20241029, 0.0.0-nightly-f1e14a23b-20250320, 0.0.0-nightly-f3a07bb27-20250307, 0.0.0-nightly-f47048541-20240813, 0.0.0-nightly-f763fd2eb-20241122, 0.0.0-nightly-f9f4a27a3-20250211, 0.0.0-nightly-fa0068005-20250131, 0.0.1, 0.10.0, 0.10.1, 0.10.2, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.11.4, 0.11.5, 0.11.6, 0.12.0, 0.12.1, 0.12.2, 0.12.3, 0.12.4, 0.13.0, 0.13.1, 0.13.2, 0.13.3, 0.13.4, 0.13.5, 0.13.6, 0.4.0, 0.4.1, 0.4.2, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.6.0, 0.6.1, 0.7.0, 0.8.0, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.9.5, 1.0.0, 1.0.0-alpha1, 1.0.0-alpha2, 1.0.0-beta1, 1.0.0-beta2, 1.0.0-beta3, 1.0.0-beta4, 1.0.0-rc1, 1.0.0-rc2, 1.0.0-rc3, 1.0.0-rc4, 1.0.1, 1.0.2, 1.0.3, 2.0.0, 2.0.0-rc1, 2.0.0-rc2, 2.0.0-rc3, 2.0.0-rc4, 2.0.0-rc5, 2.0.0-rc6, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.2.4, 2.3.0, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.7.0, 2.8.0, 2.8.1, 3.0.0, 3.0.0-alpha.1, 3.0.0-alpha.2, 3.0.0-alpha.3, 3.0.0-beta.1, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6-pre.0, 3.1.0-rc.1, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 4.0.0, 4.0.0-0, 4.0.0-1, 4.0.0-2, 4.0.0-alpha.3, 4.0.0-alpha.4, 4.0.0-alpha.5, 4.0.0-alpha.6, 4.0.0-beta.1, 4.0.0-beta.2, 4.0.0-beta.3, 4.0.0-beta.4, 4.0.0-beta.5, 4.0.0-beta.6, 4.0.0-beta.7, 4.0.0-beta.8, 4.1.0, 4.1.1, 4.1.2, 4.2.0, 4.3.0, 4.3.0-rc.1, 4.3.0-rc.2, 4.3.0-rc.3, 4.3.1, 4.4.0-alpha.0, 4.4.0-alpha.1, 4.4.0-beta.0, 4.4.0-beta.1, 4.4.0-beta.2, 4.4.0-beta.3, 4.4.0-beta.4, 4.4.0-beta.5, 4.4.0-beta.6, 4.4.0-beta.7, 4.4.0-beta.8, 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.2.1, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 6.0.0-alpha.0, 6.0.0-alpha.1, 6.0.0-alpha.2, 6.0.0-alpha.3, 6.0.0-alpha.4, 6.0.0-alpha.5, 6.0.0-beta.0, 6.0.0-beta.1, 6.0.0-beta.2, 6.0.0-beta.3, 6.0.0-beta.4, 6.0.0-beta.5, 6.0.0-beta.6, 6.0.0-beta.7, 6.0.0-beta.8, 6.30.2, 6.30.3, 6.30.3-pre-v6.0, 7.12.0, 7.13.0, 7.13.0-pre.0, 7.13.1, 7.13.1-pre.0, 7.13.2-pre.0]

Recommendation: Update to version 7.13.1.

React Router allows a DoS via cache poisoning by forcing SPA mode

Published date: 2025-04-24T16:31:16Z

CVE: CVE-2025-43864

Links:

Summary

After some research, it turns out that it is possible to force an application to switch to SPA mode by adding a header to the request. If the application uses SSR and is forced to switch to SPA, this causes an error that completely corrupts the page. If a cache system is in place, this allows the response containing the error to be cached, resulting in a cache poisoning that strongly impacts the availability of the application.

Details

The vulnerable header is X-React-Router-SPA-Mode; adding it to a request sent to a page/endpoint using a loader throws an error. Here is the vulnerable code :

Capture d’écran 2025-04-07 à 08 28 20

To use the header, React-router must be used in Framework mode, and for the attack to be possible the target page must use a loader.

Steps to reproduce

Versions used for our PoC: - @react-router/node: ^7.5.0, - @react-router/serve: ^7.5.0, - react: ^19.0.0 - react-dom: ^19.0.0 - react-router: ^7.5.0

Install React-Router with its default configuration in Framework mode (https://reactrouter.com/start/framework/installation)
Add a simple page using a loader (example: routes/ssr)

Send a request to the endpoint using the loader (/ssr in our case) adding the following header: X-React-Router-SPA-Mode: yes

Notice the difference between a request with and without the header;

Normal request Capture d’écran 2025-04-07 à 08 36 27

With the header Capture d’écran 2025-04-07 à 08 37 01

Impact

If a system cache is in place, it is possible to poison the response by completely altering its content (by an error message), strongly impacting its availability, making the latter impractical via a cache-poisoning attack.

Credits

Rachid Allam (zhero;)
Yasser Allam (inzo_)

Affected versions: ["7.5.1", "7.5.1-pre.0", "7.5.0", "7.5.0-pre.1", "7.5.0-pre.0", "7.4.1", "7.4.1-pre.0", "7.4.0", "7.4.0-pre.0", "7.3.0", "7.3.0-pre.1", "7.3.0-pre.0", "7.2.0"]

Secure versions: [0.0.0, 0.0.0-nightly-004f18fa3-20250118, 0.0.0-nightly-0061b031c-20241012, 0.0.0-nightly-028fe7370-20241224, 0.0.0-nightly-02ade43d5-20250107, 0.0.0-nightly-02b363c76-20241019, 0.0.0-nightly-037474993-20240530, 0.0.0-nightly-03808c631-20240725, 0.0.0-nightly-041701ead-20241222, 0.0.0-nightly-058b57f14-20240621, 0.0.0-nightly-05a94eca8-20240625, 0.0.0-nightly-06e98c3ba-20241120, 0.0.0-nightly-09b52e491-20240606, 0.0.0-nightly-0c08bd001-20250510, 0.0.0-nightly-0ea8e6690-20241206, 0.0.0-nightly-10a1eff90-20241121, 0.0.0-nightly-10a6fd0e1-20240531, 0.0.0-nightly-128652c63-20240622, 0.0.0-nightly-12c37f0f0-20240928, 0.0.0-nightly-135d8d9b1-20240525, 0.0.0-nightly-13df3cec9-20241016, 0.0.0-nightly-14a0face4-20240726, 0.0.0-nightly-14e8e5d1a-20240801, 0.0.0-nightly-183fdb88c-20240730, 0.0.0-nightly-1923f4b0a-20250210, 0.0.0-nightly-1974c2661-20240524, 0.0.0-nightly-1a96ee758-20240912, 0.0.0-nightly-1b103a82e-20241110, 0.0.0-nightly-1c03f313d-20250425, 0.0.0-nightly-1e6b2e162-20250214, 0.0.0-nightly-1fa84a4d4-20241025, 0.0.0-nightly-20f9592ac-20240913, 0.0.0-nightly-21a850a42-20241101, 0.0.0-nightly-242035412-20240921, 0.0.0-nightly-26cc9d914-20240904, 0.0.0-nightly-283fa44bc-20250220, 0.0.0-nightly-2abe5f5e9-20241219, 0.0.0-nightly-2aeb07881-20241103, 0.0.0-nightly-2c5d54de7-20250226, 0.0.0-nightly-2c87a07f8-20250503, 0.0.0-nightly-2d5924f56-20241024, 0.0.0-nightly-2e661fbb4-20250327, 0.0.0-nightly-2f58222ba-20241017, 0.0.0-nightly-30460939b-20250517, 0.0.0-nightly-311e971e9-20240918, 0.0.0-nightly-31a9ad847-20241023, 0.0.0-nightly-329fc0ae0-20241221, 0.0.0-nightly-3acc86586-20241109, 0.0.0-nightly-3be44ecef-20241216, 0.0.0-nightly-3f25ab396-20240704, 0.0.0-nightly-3fdae37ec-20240914, 0.0.0-nightly-4263ec297-20241004, 0.0.0-nightly-428117233-20250418, 0.0.0-nightly-44a456835-20250103, 0.0.0-nightly-47953dd5d-20241123, 0.0.0-nightly-4901f05e2-20240711, 0.0.0-nightly-4996fbe2b-20240629, 0.0.0-nightly-4abec7a1b-20250313, 0.0.0-nightly-4ad69f9d4-20250130, 0.0.0-nightly-4af1d409c-20241118, 0.0.0-nightly-4da1dee21-20250304, 0.0.0-nightly-4db408248-20240910, 0.0.0-nightly-4f885c4f7-20250317, 0.0.0-nightly-5115991bf-20241217, 0.0.0-nightly-520ab610e-20240703, 0.0.0-nightly-5287ffc12-20241105, 0.0.0-nightly-54147a377-20250224, 0.0.0-nightly-5466640fc-20240510, 0.0.0-nightly-54d45d4a7-20250216, 0.0.0-nightly-58439e382-20250227, 0.0.0-nightly-59736e501-20240905, 0.0.0-nightly-5aa77698d-20240828, 0.0.0-nightly-5ab7ff74e-20250314, 0.0.0-nightly-5af3eaa96-20250506, 0.0.0-nightly-5d6f8013e-20250513, 0.0.0-nightly-626bc840a-20240731, 0.0.0-nightly-64e0a0313-20241207, 0.0.0-nightly-65d3d6cde-20240628, 0.0.0-nightly-66613c0c6-20241018, 0.0.0-nightly-68f43b8cd-20241119, 0.0.0-nightly-6b677a71b-20250219, 0.0.0-nightly-6c7c5147c-20241008, 0.0.0-nightly-6df9b21a9-20250218, 0.0.0-nightly-6f2168e82-20250114, 0.0.0-nightly-726b5249a-20250416, 0.0.0-nightly-727bc37b9-20250208, 0.0.0-nightly-73afcdc0d-20240523, 0.0.0-nightly-7583dc758-20250502, 0.0.0-nightly-77b730c0a-20250225, 0.0.0-nightly-7bc242270-20250412, 0.0.0-nightly-7de375944-20250206, 0.0.0-nightly-7fd797a72-20241022, 0.0.0-nightly-80cf6ffad-20250124, 0.0.0-nightly-818d327ce-20241117, 0.0.0-nightly-8389d48e0-20250512, 0.0.0-nightly-854031618-20240819, 0.0.0-nightly-892468ee7-20250212, 0.0.0-nightly-8a5cf097f-20241030, 0.0.0-nightly-8b31f25af-20240926, 0.0.0-nightly-8b821645a-20241214, 0.0.0-nightly-8e4963fae-20250424, 0.0.0-nightly-8f12ed19a-20240924, 0.0.0-nightly-8fc8239ff-20241003, 0.0.0-nightly-8ff4d5fe7-20241204, 0.0.0-nightly-90d6e43a9-20250122, 0.0.0-nightly-90ebbf91d-20240718, 0.0.0-nightly-934427247-20240717, 0.0.0-nightly-96b441bdd-20240511, 0.0.0-nightly-9a3d9fc19-20241205, 0.0.0-nightly-9b3accc5e-20250410, 0.0.0-nightly-9bf91e47c-20240822, 0.0.0-nightly-9e0c2a051-20250108, 0.0.0-nightly-a096ebc81-20240919, 0.0.0-nightly-a26b992a1-20240917, 0.0.0-nightly-a41323a0b-20241011, 0.0.0-nightly-a4e9d2ffa-20241114, 0.0.0-nightly-a5f191b5e-20240820, 0.0.0-nightly-a87b7960c-20250408, 0.0.0-nightly-a9e1d47b6-20240619, 0.0.0-nightly-ab9842614-20241116, 0.0.0-nightly-ac199f437-20241014, 0.0.0-nightly-ac399b7b3-20250201, 0.0.0-nightly-ac5b36cb0-20240626, 0.0.0-nightly-acb339f23-20241031, 0.0.0-nightly-aeb2e174c-20250106, 0.0.0-nightly-aed1b458e-20241124, 0.0.0-nightly-afef30ced-20240729, 0.0.0-nightly-b045242e8-20250117, 0.0.0-nightly-b099df09b-20241106, 0.0.0-nightly-b0dfdc607-20250228, 0.0.0-nightly-b2c8f9c8a-20240522, 0.0.0-nightly-b3ad2a2f7-20250221, 0.0.0-nightly-b604032d8-20240907, 0.0.0-nightly-b64eb837d-20250213, 0.0.0-nightly-b660a7fe2-20241026, 0.0.0-nightly-b7b187661-20250507, 0.0.0-nightly-b8cf1b6e3-20250402, 0.0.0-nightly-bad24c173-20240604, 0.0.0-nightly-bb58afdfd-20240520, 0.0.0-nightly-bc1c1c8ef-20241005, 0.0.0-nightly-bc437079e-20250318, 0.0.0-nightly-bd50e0760-20250405, 0.0.0-nightly-bf23aaf61-20240802, 0.0.0-nightly-bf2bc0544-20250222, 0.0.0-nightly-bf7ecb711-20240911, 0.0.0-nightly-c0f766f34-20250329, 0.0.0-nightly-c1618cd61-20241102, 0.0.0-nightly-c1a2f116c-20241108, 0.0.0-nightly-c34cbeb8b-20240823, 0.0.0-nightly-c364bd450-20250116, 0.0.0-nightly-c3d95f026-20240906, 0.0.0-nightly-c40f7861c-20250409, 0.0.0-nightly-c4c48afc1-20240713, 0.0.0-nightly-c4d590c64-20241104, 0.0.0-nightly-c5b264133-20250115, 0.0.0-nightly-c6420cdda-20241115, 0.0.0-nightly-c72e6df91-20240807, 0.0.0-nightly-c846a2e1e-20240627, 0.0.0-nightly-c9487e672-20241212, 0.0.0-nightly-cd50dc631-20250315, 0.0.0-nightly-cd5681bd2-20250415, 0.0.0-nightly-d07cefedf-20250401, 0.0.0-nightly-d1aaa2d4a-20250426, 0.0.0-nightly-d1bb8941a-20240920, 0.0.0-nightly-d294ab274-20241007, 0.0.0-nightly-d3e913b81-20250301, 0.0.0-nightly-d4127aa37-20240521, 0.0.0-nightly-d5ad0613b-20240620, 0.0.0-nightly-d65827ebb-20241002, 0.0.0-nightly-da617bbed-20241113, 0.0.0-nightly-db577511d-20240925, 0.0.0-nightly-db92c6919-20250104, 0.0.0-nightly-dd3fb69fd-20250508, 0.0.0-nightly-dd520b0ac-20250430, 0.0.0-nightly-dede70577-20250306, 0.0.0-nightly-dfd2d1494-20240716, 0.0.0-nightly-e141f39e0-20241107, 0.0.0-nightly-e3c67ede3-20240815, 0.0.0-nightly-e4a178932-20250509, 0.0.0-nightly-e711f0050-20241230, 0.0.0-nightly-e85f691d1-20240816, 0.0.0-nightly-e93e2b792-20250328, 0.0.0-nightly-ec37db8f4-20240702, 0.0.0-nightly-edb5fbe60-20250501, 0.0.0-nightly-efdf26c3e-20250429, 0.0.0-nightly-f0145cca3-20241203, 0.0.0-nightly-f0cd1c5cc-20241029, 0.0.0-nightly-f1e14a23b-20250320, 0.0.0-nightly-f3a07bb27-20250307, 0.0.0-nightly-f47048541-20240813, 0.0.0-nightly-f763fd2eb-20241122, 0.0.0-nightly-f9f4a27a3-20250211, 0.0.0-nightly-fa0068005-20250131, 0.0.1, 0.10.0, 0.10.1, 0.10.2, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.11.4, 0.11.5, 0.11.6, 0.12.0, 0.12.1, 0.12.2, 0.12.3, 0.12.4, 0.13.0, 0.13.1, 0.13.2, 0.13.3, 0.13.4, 0.13.5, 0.13.6, 0.4.0, 0.4.1, 0.4.2, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.6.0, 0.6.1, 0.7.0, 0.8.0, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.9.5, 1.0.0, 1.0.0-alpha1, 1.0.0-alpha2, 1.0.0-beta1, 1.0.0-beta2, 1.0.0-beta3, 1.0.0-beta4, 1.0.0-rc1, 1.0.0-rc2, 1.0.0-rc3, 1.0.0-rc4, 1.0.1, 1.0.2, 1.0.3, 2.0.0, 2.0.0-rc1, 2.0.0-rc2, 2.0.0-rc3, 2.0.0-rc4, 2.0.0-rc5, 2.0.0-rc6, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.2.4, 2.3.0, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.7.0, 2.8.0, 2.8.1, 3.0.0, 3.0.0-alpha.1, 3.0.0-alpha.2, 3.0.0-alpha.3, 3.0.0-beta.1, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6-pre.0, 3.1.0-rc.1, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 4.0.0, 4.0.0-0, 4.0.0-1, 4.0.0-2, 4.0.0-alpha.3, 4.0.0-alpha.4, 4.0.0-alpha.5, 4.0.0-alpha.6, 4.0.0-beta.1, 4.0.0-beta.2, 4.0.0-beta.3, 4.0.0-beta.4, 4.0.0-beta.5, 4.0.0-beta.6, 4.0.0-beta.7, 4.0.0-beta.8, 4.1.0, 4.1.1, 4.1.2, 4.2.0, 4.3.0, 4.3.0-rc.1, 4.3.0-rc.2, 4.3.0-rc.3, 4.3.1, 4.4.0-alpha.0, 4.4.0-alpha.1, 4.4.0-beta.0, 4.4.0-beta.1, 4.4.0-beta.2, 4.4.0-beta.3, 4.4.0-beta.4, 4.4.0-beta.5, 4.4.0-beta.6, 4.4.0-beta.7, 4.4.0-beta.8, 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.2.1, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 6.0.0-alpha.0, 6.0.0-alpha.1, 6.0.0-alpha.2, 6.0.0-alpha.3, 6.0.0-alpha.4, 6.0.0-alpha.5, 6.0.0-beta.0, 6.0.0-beta.1, 6.0.0-beta.2, 6.0.0-beta.3, 6.0.0-beta.4, 6.0.0-beta.5, 6.0.0-beta.6, 6.0.0-beta.7, 6.0.0-beta.8, 6.30.2, 6.30.3, 6.30.3-pre-v6.0, 7.12.0, 7.13.0, 7.13.0-pre.0, 7.13.1, 7.13.1-pre.0, 7.13.2-pre.0]

Recommendation: Update to version 7.13.1.

React Router has CSRF issue in Action/Server Action Request Processing

Published date: 2026-01-08T20:57:09Z

CVE: CVE-2026-22030

Links:

React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route action handlers in Framework Mode, or when using React Server Actions in the new unstable RSC modes.

[!NOTE] This does not impact applications that use Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).

Affected versions: ["7.11.0", "7.11.0-pre.0", "7.10.1", "7.10.1-pre.0", "7.10.0", "7.10.0-pre.1", "7.10.0-pre.0", "7.9.6", "7.9.6-pre.1", "7.9.6-pre.0", "7.9.5", "7.9.5-pre.0", "7.9.4", "7.9.4-pre.0", "7.9.3", "7.9.3-pre.0", "7.9.2", "7.9.2-pre.3", "7.9.2-pre.2", "7.9.2-pre.1", "7.9.2-pre.0", "7.9.1", "7.9.1-pre.0", "7.9.0", "7.9.0-pre.1", "7.9.0-pre.0", "7.8.2", "7.8.2-pre.1", "7.8.2-pre.0", "7.8.1", "7.8.1-pre.1", "7.8.1-pre.0", "7.8.0", "7.8.0-pre.3", "7.8.0-pre.2", "7.8.0-pre.1", "7.8.0-pre.0", "7.7.1", "7.7.1-pre.0", "7.7.0", "7.7.0-pre.2", "7.7.0-pre.1", "7.7.0-pre.0", "7.6.3", "7.6.3-pre.0", "7.6.2", "7.6.1", "7.6.1-pre.2", "7.6.1-pre.1", "7.6.1-pre.0", "7.6.0", "7.6.0-pre.0", "7.5.3", "7.5.3-pre.0", "7.5.2", "7.5.1", "7.5.1-pre.0", "7.5.0", "7.5.0-pre.1", "7.5.0-pre.0", "7.4.1", "7.4.1-pre.0", "7.4.0", "7.4.0-pre.0", "7.3.0", "7.3.0-pre.1", "7.3.0-pre.0", "7.2.0", "7.2.0-pre.6", "7.2.0-pre.5", "7.2.0-pre.4", "7.2.0-pre.3", "7.2.0-pre.2", "7.2.0-pre.1", "7.2.0-pre.0", "7.1.5", "7.1.5-pre.0", "7.1.4", "7.1.4-pre.0", "7.1.3", "7.1.3-pre.0", "7.1.2", "7.1.2-pre.0", "7.1.1", "7.1.1-pre.0", "7.1.0", "7.1.0-pre.0", "7.0.2", "7.0.2-pre.0", "7.0.1", "7.0.1-pre.0", "7.0.0"]

Secure versions: [0.0.0, 0.0.0-nightly-004f18fa3-20250118, 0.0.0-nightly-0061b031c-20241012, 0.0.0-nightly-028fe7370-20241224, 0.0.0-nightly-02ade43d5-20250107, 0.0.0-nightly-02b363c76-20241019, 0.0.0-nightly-037474993-20240530, 0.0.0-nightly-03808c631-20240725, 0.0.0-nightly-041701ead-20241222, 0.0.0-nightly-058b57f14-20240621, 0.0.0-nightly-05a94eca8-20240625, 0.0.0-nightly-06e98c3ba-20241120, 0.0.0-nightly-09b52e491-20240606, 0.0.0-nightly-0c08bd001-20250510, 0.0.0-nightly-0ea8e6690-20241206, 0.0.0-nightly-10a1eff90-20241121, 0.0.0-nightly-10a6fd0e1-20240531, 0.0.0-nightly-128652c63-20240622, 0.0.0-nightly-12c37f0f0-20240928, 0.0.0-nightly-135d8d9b1-20240525, 0.0.0-nightly-13df3cec9-20241016, 0.0.0-nightly-14a0face4-20240726, 0.0.0-nightly-14e8e5d1a-20240801, 0.0.0-nightly-183fdb88c-20240730, 0.0.0-nightly-1923f4b0a-20250210, 0.0.0-nightly-1974c2661-20240524, 0.0.0-nightly-1a96ee758-20240912, 0.0.0-nightly-1b103a82e-20241110, 0.0.0-nightly-1c03f313d-20250425, 0.0.0-nightly-1e6b2e162-20250214, 0.0.0-nightly-1fa84a4d4-20241025, 0.0.0-nightly-20f9592ac-20240913, 0.0.0-nightly-21a850a42-20241101, 0.0.0-nightly-242035412-20240921, 0.0.0-nightly-26cc9d914-20240904, 0.0.0-nightly-283fa44bc-20250220, 0.0.0-nightly-2abe5f5e9-20241219, 0.0.0-nightly-2aeb07881-20241103, 0.0.0-nightly-2c5d54de7-20250226, 0.0.0-nightly-2c87a07f8-20250503, 0.0.0-nightly-2d5924f56-20241024, 0.0.0-nightly-2e661fbb4-20250327, 0.0.0-nightly-2f58222ba-20241017, 0.0.0-nightly-30460939b-20250517, 0.0.0-nightly-311e971e9-20240918, 0.0.0-nightly-31a9ad847-20241023, 0.0.0-nightly-329fc0ae0-20241221, 0.0.0-nightly-3acc86586-20241109, 0.0.0-nightly-3be44ecef-20241216, 0.0.0-nightly-3f25ab396-20240704, 0.0.0-nightly-3fdae37ec-20240914, 0.0.0-nightly-4263ec297-20241004, 0.0.0-nightly-428117233-20250418, 0.0.0-nightly-44a456835-20250103, 0.0.0-nightly-47953dd5d-20241123, 0.0.0-nightly-4901f05e2-20240711, 0.0.0-nightly-4996fbe2b-20240629, 0.0.0-nightly-4abec7a1b-20250313, 0.0.0-nightly-4ad69f9d4-20250130, 0.0.0-nightly-4af1d409c-20241118, 0.0.0-nightly-4da1dee21-20250304, 0.0.0-nightly-4db408248-20240910, 0.0.0-nightly-4f885c4f7-20250317, 0.0.0-nightly-5115991bf-20241217, 0.0.0-nightly-520ab610e-20240703, 0.0.0-nightly-5287ffc12-20241105, 0.0.0-nightly-54147a377-20250224, 0.0.0-nightly-5466640fc-20240510, 0.0.0-nightly-54d45d4a7-20250216, 0.0.0-nightly-58439e382-20250227, 0.0.0-nightly-59736e501-20240905, 0.0.0-nightly-5aa77698d-20240828, 0.0.0-nightly-5ab7ff74e-20250314, 0.0.0-nightly-5af3eaa96-20250506, 0.0.0-nightly-5d6f8013e-20250513, 0.0.0-nightly-626bc840a-20240731, 0.0.0-nightly-64e0a0313-20241207, 0.0.0-nightly-65d3d6cde-20240628, 0.0.0-nightly-66613c0c6-20241018, 0.0.0-nightly-68f43b8cd-20241119, 0.0.0-nightly-6b677a71b-20250219, 0.0.0-nightly-6c7c5147c-20241008, 0.0.0-nightly-6df9b21a9-20250218, 0.0.0-nightly-6f2168e82-20250114, 0.0.0-nightly-726b5249a-20250416, 0.0.0-nightly-727bc37b9-20250208, 0.0.0-nightly-73afcdc0d-20240523, 0.0.0-nightly-7583dc758-20250502, 0.0.0-nightly-77b730c0a-20250225, 0.0.0-nightly-7bc242270-20250412, 0.0.0-nightly-7de375944-20250206, 0.0.0-nightly-7fd797a72-20241022, 0.0.0-nightly-80cf6ffad-20250124, 0.0.0-nightly-818d327ce-20241117, 0.0.0-nightly-8389d48e0-20250512, 0.0.0-nightly-854031618-20240819, 0.0.0-nightly-892468ee7-20250212, 0.0.0-nightly-8a5cf097f-20241030, 0.0.0-nightly-8b31f25af-20240926, 0.0.0-nightly-8b821645a-20241214, 0.0.0-nightly-8e4963fae-20250424, 0.0.0-nightly-8f12ed19a-20240924, 0.0.0-nightly-8fc8239ff-20241003, 0.0.0-nightly-8ff4d5fe7-20241204, 0.0.0-nightly-90d6e43a9-20250122, 0.0.0-nightly-90ebbf91d-20240718, 0.0.0-nightly-934427247-20240717, 0.0.0-nightly-96b441bdd-20240511, 0.0.0-nightly-9a3d9fc19-20241205, 0.0.0-nightly-9b3accc5e-20250410, 0.0.0-nightly-9bf91e47c-20240822, 0.0.0-nightly-9e0c2a051-20250108, 0.0.0-nightly-a096ebc81-20240919, 0.0.0-nightly-a26b992a1-20240917, 0.0.0-nightly-a41323a0b-20241011, 0.0.0-nightly-a4e9d2ffa-20241114, 0.0.0-nightly-a5f191b5e-20240820, 0.0.0-nightly-a87b7960c-20250408, 0.0.0-nightly-a9e1d47b6-20240619, 0.0.0-nightly-ab9842614-20241116, 0.0.0-nightly-ac199f437-20241014, 0.0.0-nightly-ac399b7b3-20250201, 0.0.0-nightly-ac5b36cb0-20240626, 0.0.0-nightly-acb339f23-20241031, 0.0.0-nightly-aeb2e174c-20250106, 0.0.0-nightly-aed1b458e-20241124, 0.0.0-nightly-afef30ced-20240729, 0.0.0-nightly-b045242e8-20250117, 0.0.0-nightly-b099df09b-20241106, 0.0.0-nightly-b0dfdc607-20250228, 0.0.0-nightly-b2c8f9c8a-20240522, 0.0.0-nightly-b3ad2a2f7-20250221, 0.0.0-nightly-b604032d8-20240907, 0.0.0-nightly-b64eb837d-20250213, 0.0.0-nightly-b660a7fe2-20241026, 0.0.0-nightly-b7b187661-20250507, 0.0.0-nightly-b8cf1b6e3-20250402, 0.0.0-nightly-bad24c173-20240604, 0.0.0-nightly-bb58afdfd-20240520, 0.0.0-nightly-bc1c1c8ef-20241005, 0.0.0-nightly-bc437079e-20250318, 0.0.0-nightly-bd50e0760-20250405, 0.0.0-nightly-bf23aaf61-20240802, 0.0.0-nightly-bf2bc0544-20250222, 0.0.0-nightly-bf7ecb711-20240911, 0.0.0-nightly-c0f766f34-20250329, 0.0.0-nightly-c1618cd61-20241102, 0.0.0-nightly-c1a2f116c-20241108, 0.0.0-nightly-c34cbeb8b-20240823, 0.0.0-nightly-c364bd450-20250116, 0.0.0-nightly-c3d95f026-20240906, 0.0.0-nightly-c40f7861c-20250409, 0.0.0-nightly-c4c48afc1-20240713, 0.0.0-nightly-c4d590c64-20241104, 0.0.0-nightly-c5b264133-20250115, 0.0.0-nightly-c6420cdda-20241115, 0.0.0-nightly-c72e6df91-20240807, 0.0.0-nightly-c846a2e1e-20240627, 0.0.0-nightly-c9487e672-20241212, 0.0.0-nightly-cd50dc631-20250315, 0.0.0-nightly-cd5681bd2-20250415, 0.0.0-nightly-d07cefedf-20250401, 0.0.0-nightly-d1aaa2d4a-20250426, 0.0.0-nightly-d1bb8941a-20240920, 0.0.0-nightly-d294ab274-20241007, 0.0.0-nightly-d3e913b81-20250301, 0.0.0-nightly-d4127aa37-20240521, 0.0.0-nightly-d5ad0613b-20240620, 0.0.0-nightly-d65827ebb-20241002, 0.0.0-nightly-da617bbed-20241113, 0.0.0-nightly-db577511d-20240925, 0.0.0-nightly-db92c6919-20250104, 0.0.0-nightly-dd3fb69fd-20250508, 0.0.0-nightly-dd520b0ac-20250430, 0.0.0-nightly-dede70577-20250306, 0.0.0-nightly-dfd2d1494-20240716, 0.0.0-nightly-e141f39e0-20241107, 0.0.0-nightly-e3c67ede3-20240815, 0.0.0-nightly-e4a178932-20250509, 0.0.0-nightly-e711f0050-20241230, 0.0.0-nightly-e85f691d1-20240816, 0.0.0-nightly-e93e2b792-20250328, 0.0.0-nightly-ec37db8f4-20240702, 0.0.0-nightly-edb5fbe60-20250501, 0.0.0-nightly-efdf26c3e-20250429, 0.0.0-nightly-f0145cca3-20241203, 0.0.0-nightly-f0cd1c5cc-20241029, 0.0.0-nightly-f1e14a23b-20250320, 0.0.0-nightly-f3a07bb27-20250307, 0.0.0-nightly-f47048541-20240813, 0.0.0-nightly-f763fd2eb-20241122, 0.0.0-nightly-f9f4a27a3-20250211, 0.0.0-nightly-fa0068005-20250131, 0.0.1, 0.10.0, 0.10.1, 0.10.2, 0.11.0, 0.11.1, 0.11.2, 0.11.3, 0.11.4, 0.11.5, 0.11.6, 0.12.0, 0.12.1, 0.12.2, 0.12.3, 0.12.4, 0.13.0, 0.13.1, 0.13.2, 0.13.3, 0.13.4, 0.13.5, 0.13.6, 0.4.0, 0.4.1, 0.4.2, 0.5.0, 0.5.1, 0.5.2, 0.5.3, 0.6.0, 0.6.1, 0.7.0, 0.8.0, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.9.4, 0.9.5, 1.0.0, 1.0.0-alpha1, 1.0.0-alpha2, 1.0.0-beta1, 1.0.0-beta2, 1.0.0-beta3, 1.0.0-beta4, 1.0.0-rc1, 1.0.0-rc2, 1.0.0-rc3, 1.0.0-rc4, 1.0.1, 1.0.2, 1.0.3, 2.0.0, 2.0.0-rc1, 2.0.0-rc2, 2.0.0-rc3, 2.0.0-rc4, 2.0.0-rc5, 2.0.0-rc6, 2.0.1, 2.1.0, 2.1.1, 2.2.0, 2.2.1, 2.2.2, 2.2.4, 2.3.0, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.7.0, 2.8.0, 2.8.1, 3.0.0, 3.0.0-alpha.1, 3.0.0-alpha.2, 3.0.0-alpha.3, 3.0.0-beta.1, 3.0.1, 3.0.2, 3.0.3, 3.0.4, 3.0.5, 3.0.6-pre.0, 3.1.0-rc.1, 3.2.0, 3.2.1, 3.2.2, 3.2.3, 3.2.4, 3.2.5, 3.2.6, 4.0.0, 4.0.0-0, 4.0.0-1, 4.0.0-2, 4.0.0-alpha.3, 4.0.0-alpha.4, 4.0.0-alpha.5, 4.0.0-alpha.6, 4.0.0-beta.1, 4.0.0-beta.2, 4.0.0-beta.3, 4.0.0-beta.4, 4.0.0-beta.5, 4.0.0-beta.6, 4.0.0-beta.7, 4.0.0-beta.8, 4.1.0, 4.1.1, 4.1.2, 4.2.0, 4.3.0, 4.3.0-rc.1, 4.3.0-rc.2, 4.3.0-rc.3, 4.3.1, 4.4.0-alpha.0, 4.4.0-alpha.1, 4.4.0-beta.0, 4.4.0-beta.1, 4.4.0-beta.2, 4.4.0-beta.3, 4.4.0-beta.4, 4.4.0-beta.5, 4.4.0-beta.6, 4.4.0-beta.7, 4.4.0-beta.8, 5.0.0, 5.0.1, 5.1.0, 5.1.1, 5.1.2, 5.2.0, 5.2.1, 5.3.1, 5.3.2, 5.3.3, 5.3.4, 6.0.0-alpha.0, 6.0.0-alpha.1, 6.0.0-alpha.2, 6.0.0-alpha.3, 6.0.0-alpha.4, 6.0.0-alpha.5, 6.0.0-beta.0, 6.0.0-beta.1, 6.0.0-beta.2, 6.0.0-beta.3, 6.0.0-beta.4, 6.0.0-beta.5, 6.0.0-beta.6, 6.0.0-beta.7, 6.0.0-beta.8, 6.30.2, 6.30.3, 6.30.3-pre-v6.0, 7.12.0, 7.13.0, 7.13.0-pre.0, 7.13.1, 7.13.1-pre.0, 7.13.2-pre.0]

Recommendation: Update to version 7.13.1.

Version	License	Released
0.0.0-nightly-d3e913b81-20250301	MIT	2025-03-01 - 07:06	about 1 year
0.0.0-nightly-4da1dee21-20250304	MIT	2025-03-04 - 07:07	about 1 year
0.0.0-nightly-dede70577-20250306	MIT	2025-03-06 - 07:07	about 1 year
0.0.0-nightly-f3a07bb27-20250307	MIT	2025-03-07 - 07:07	about 1 year
0.0.0-nightly-4abec7a1b-20250313	MIT	2025-03-13 - 07:07	about 1 year
0.0.0-nightly-5ab7ff74e-20250314	MIT	2025-03-14 - 07:07	about 1 year
0.0.0-nightly-cd50dc631-20250315	MIT	2025-03-15 - 07:07	about 1 year
0.0.0-nightly-4f885c4f7-20250317	MIT	2025-03-17 - 07:07	about 1 year
0.0.0-nightly-bc437079e-20250318	MIT	2025-03-18 - 07:07	about 1 year
0.0.0-nightly-f1e14a23b-20250320	MIT	2025-03-20 - 07:07	12 months
0.0.0-nightly-2e661fbb4-20250327	MIT	2025-03-27 - 07:08	12 months
0.0.0-nightly-e93e2b792-20250328	MIT	2025-03-28 - 07:08	12 months
0.0.0-nightly-c0f766f34-20250329	MIT	2025-03-29 - 07:06	12 months
0.0.0-nightly-d07cefedf-20250401	MIT	2025-04-01 - 07:08	12 months
0.0.0-nightly-b8cf1b6e3-20250402	MIT	2025-04-02 - 07:08	12 months
0.0.0-nightly-bd50e0760-20250405	MIT	2025-04-05 - 07:07	12 months
0.0.0-nightly-a87b7960c-20250408	MIT	2025-04-08 - 07:08	12 months
0.0.0-nightly-c40f7861c-20250409	MIT	2025-04-09 - 07:08	11 months
0.0.0-nightly-9b3accc5e-20250410	MIT	2025-04-10 - 07:08	11 months
0.0.0-nightly-7bc242270-20250412	MIT	2025-04-12 - 07:07	11 months
0.0.0-nightly-cd5681bd2-20250415	MIT	2025-04-15 - 07:08	11 months
0.0.0-nightly-726b5249a-20250416	MIT	2025-04-16 - 07:08	11 months
0.0.0-nightly-428117233-20250418	MIT	2025-04-18 - 07:08	11 months
0.0.0-nightly-8e4963fae-20250424	MIT	2025-04-24 - 07:08	11 months
0.0.0-nightly-1c03f313d-20250425	MIT	2025-04-25 - 07:08	11 months
0.0.0-nightly-d1aaa2d4a-20250426	MIT	2025-04-26 - 07:06	11 months
0.0.0-nightly-efdf26c3e-20250429	MIT	2025-04-29 - 07:08	11 months
0.0.0-nightly-dd520b0ac-20250430	MIT	2025-04-30 - 07:08	11 months
0.0.0-nightly-edb5fbe60-20250501	MIT	2025-05-01 - 07:08	11 months
0.0.0-nightly-7583dc758-20250502	MIT	2025-05-02 - 07:08	11 months
0.0.0-nightly-2c87a07f8-20250503	MIT	2025-05-03 - 07:07	11 months
0.0.0-nightly-5af3eaa96-20250506	MIT	2025-05-06 - 07:08	11 months
0.0.0-nightly-b7b187661-20250507	MIT	2025-05-07 - 07:08	11 months
0.0.0-nightly-dd3fb69fd-20250508	MIT	2025-05-08 - 07:08	11 months
0.0.0-nightly-e4a178932-20250509	MIT	2025-05-09 - 07:08	10 months
0.0.0-nightly-0c08bd001-20250510	MIT	2025-05-10 - 07:07	10 months
0.0.0-nightly-30460939b-20250517	MIT	2025-05-17 - 07:07	10 months
0.0.0-nightly-8389d48e0-20250512	MIT	2025-05-12 - 07:08	10 months
0.0.0-nightly-5d6f8013e-20250513	MIT	2025-05-13 - 07:08	10 months

NodeJS/react-router/7.3.0-pre.1

7 Security Vulnerabilities

Summary

Details

Steps to reproduce

Impact

Credits

Summary

Details

Steps to reproduce

Impact

Credits

639 Other Versions