CVE-2026-42211

Published Jun 2, 2026

Last updated 14 hours ago

CVSS high 8.1

Overview

AI description

Automated description summarized from trusted sources.

CVE-2026-42211 describes a vulnerability in React Router versions 7.0.0 through 7.14.1, specifically when the library is used in Framework Mode. This flaw can potentially lead to unauthorized remote code execution (RCE) through external requests. The vulnerability stems from a deserialization issue within React Router's vendored `turbo-stream` v2, which permits arbitrary constructor invocation via `TYPE_ERROR` deserialization. Exploiting CVE-2026-42211 is a two-step process. It first requires the application code to have an existing prototype pollution vulnerability, which can then be leveraged to trigger the unauthorized RCE on the remote server. Applications utilizing Declarative Mode (`<BrowserRouter>`) or Data Mode (`createBrowserRouter/<RouterProvider>`) are not affected by this vulnerability. The issue has been addressed in React Router version 7.14.2.

Description
React Router is a router for React. In versions 7.0.0 through 7.14.1, when using Framework Mode, a combination of steps could potentially allow unauthorized remote code execution (RCE) through external requests. This attack requires the application code to have an existing prototype pollution vulnerability, which can then be leveraged in a 2-step attack where the second step triggers unauthorized RCE on the remote server. This does not impact applications using Declarative Mode (`<BrowserRouter>`) or Data Mode (`createBrowserRouter/<RouterProvider>`). This is patched in version 7.14.2.
Source
security-advisories@github.com
NVD status
Analyzed
Products
react-router

Risk scores

CVSS 3.1

Type
Secondary
Base score
8.1
Impact score
5.9
Exploitability score
2.2
Vector string
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
HIGH

Weaknesses

security-advisories@github.com
CWE-502

Social media

Hype score is a measure of social media activity compared against trending CVEs from the past 12 months. Max score 100.

Hype score

4

  1. 🚨 cve-2026-42211: React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE Critical Vulnerability Alert! React Router is affected by CVE-2026-42211. Full Vulnerability Details &amp; Analysis at DarkE

    @zoomeye_team

    5 Jun 2026

    1443 Impressions

    6 Retweets

    16 Likes

    10 Bookmarks

    0 Replies

    0 Quotes

  2. React Routerで複数の脆弱性が修正。CVE-2026-42211は無認証での遠隔コード実行だが、既存のプロトタイプ汚染脆弱性との連鎖が前提。CVE-2026-33245はXSS。CVE-2026-34077とCVE-2026-42342はDoS。 https://t.co/gSQ2uPQYqY

    @__kokumoto

    4 Jun 2026

    563 Impressions

    0 Retweets

    4 Likes

    2 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. React Router is a router for React. In versions 7.0.0 through 7.14.x of react-router and versions 2.10.0 through 2.17.4 of @remix-run/server-runtime, certain crafted requests can consume disproportionate server resources via unbounded path expansion in the __manifest endpoint, resulting in response time degradation and/or service unavailability for end users. This affects React Router Framework Mode applications as well as Remix applications. This does not impact applications using Declarative Mode (`<BrowserRouter>`) or Data Mode (`createBrowserRouter/<RouterProvider>`). This is patched in react-router version 7.15.0 and @remix-run/server-runtime version 2.17.5.CVE-2026-42342
  2. React Router is a router for React. In versions 7.0.0 through 7.14.0 and 6.7.0 through 6.30.3, certain URLs passed to the redirect function can trigger an open redirect to an external domain due to path values starting with // being reinterpreted as protocol-relative URLs. The level of impact depends on the validation done by the application prior to returning the redirect. This does not impact applications using Declarative Mode (<BrowserRouter>). This is patched in versions 7.14.1 and 6.30.4.CVE-2026-40181
  3. React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components (RSC) APIs, there is a potential client-side Cross-Site Scripting (XSS) vulnerability in the RSC redirect handling if redirects come from untrusted sources. This does not impact applications that are not using the unstable RSC APIs in React Router. This is patched in version 7.13.2.CVE-2026-34077
  4. React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components (RSC) APIs, there is a potential client-side Cross-Site Scripting (XSS) vulnerability in the RSC redirect handling if redirects come from untrusted sources. This does not impact applications that are not using the unstable RSC APIs in React Router. This is patched in version 7.13.2.CVE-2026-33245
  5. React Router is a router for React. In versions 7.5.1 through 7.13.1, when using Framework Mode with pre-rendering enabled, improper neutralization of the HTTP `Location` header value can permit Cross-Site Scripting (XSS) in the statically generated HTML files if the redirect location comes from an untrusted source. This does not impact applications using Declarative Mode (`<BrowserRouter>`) or Data Mode (`createBrowserRouter/<RouterProvider>`). This is patched in version 7.13.2.CVE-2026-33244

References

Sources include official advisories and independent security research.