AI description
CVE-2025-59057 describes a Cross-Site Scripting (XSS) vulnerability found within React Router's `meta()` and `<Meta>` APIs when operating in Framework Mode. This flaw specifically arises during the generation of `script:ld+json` tags. If untrusted user-supplied content is incorporated into this tag generation process, it can lead to the injection and execution of arbitrary JavaScript code during Server-Side Rendering (SSR). The vulnerability affects `@remix-run/react` versions 1.15.0 through 2.17.0 and `react-router` versions 7.0.0 through 7.8.2. Applications utilizing Declarative Mode (`<BrowserRouter>`) or Data Mode (`createBrowserRouter`/`<RouterProvider>`) are not impacted by this issue.
- Description
- React Router is a router for React. In @remix-run/react versions 1.15.0 through 2.17.0. and react-router versions 7.0.0 through 7.8.2, a XSS vulnerability exists in in React Router's meta()/<Meta> APIs in Framework Mode when generating script:ld+json tags which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the tag. There is no impact if the application is being used in Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>). This issue has been patched in @remix-run/react version 2.17.1 and react-router version 7.9.0.
- Source
- security-advisories@github.com
- NVD status
- Analyzed
- Products
- react-router, remix-run\/react
CVSS 3.1
- Type
- Secondary
- Base score
- 7.6
- Impact score
- 4.7
- Exploitability score
- 2.3
- Vector string
- CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
- Severity
- HIGH
- security-advisories@github.com
- CWE-79
- Hype score
- Not currently trending
66 CVE-2025-58434 CVE-2025-59057 CVE-2025-59790 CVE-2025-59792 CVE-2025-61622 CVE-2025-61686 CVE-2025-64756 CVE-2026-21884 CVE-2026-22807 CVE-2026-23630 CVE-2026-27471 CVE-2026-27806 CVE-2026-27955 CVE-2026-28215 CVE-2026-28217 CVE-2026-28351 CVE-2026-28361 CVE-2026-28384
@BugBunny_ai
14 May 2026
23006 Impressions
42 Retweets
319 Likes
117 Bookmarks
12 Replies
3 Quotes
🚨Alerta devs💻! React Router presenta vulnerabilidad XSS alertada en CVE-2025-59057 🔥. Protege tu código y revisa los detalles aquí 👀: https://t.co/jZKOx4zTAG ¡Mantén tus proyectos seguros! #NoticiasDev 🛡️💪🚀
@GitHubComunidad
11 Jan 2026
72 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-59057 XSS Vulnerability in React Router Meta APIs During Server-Side Rendering https://t.co/RQWSi0NRGP
@VulmonFeeds
10 Jan 2026
76 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
CVE-2025-59057 React Router is a router for React. In @remix-run/react versions 1.15.0 through 2.17.0. and react-router versions 7.0.0 through 7.8.2, a XSS vulnerability exists in i… https://t.co/RU7A5Bzxjp
@CVEnew
10 Jan 2026
138 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
⚠️ High severity XSS in React Router! CVE-2025-59057 affects react-router ≤7.8.2 & @remix-run/react ≤2.17.0 during SSR meta/ld+json generation. Update to 7.9.0 / 2.17.1 ASAP! #ReactRouter #WebSec (Jan 8, 2026 advisory – arbitrary JS execution possible with untruste
@The_Hunt_x
10 Jan 2026
62 Impressions
0 Retweets
0 Likes
0 Bookmarks
0 Replies
0 Quotes
[
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:shopify:react-router:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "F4E34485-ECF4-43E3-888E-CED503030BD0",
"versionEndIncluding": "7.8.2",
"versionStartIncluding": "7.0.0",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:shopify:remix-run\\/react:*:*:*:*:*:node.js:*:*",
"matchCriteriaId": "54EBA7E4-4D3E-4BDD-92DD-BCC1ED3FDF4C",
"versionEndIncluding": "2.17.0",
"versionStartIncluding": "1.15.0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
]