CVE-2025-59057

HIGH

Shopify React-router < 7.8.2 - XSS

Title source: rule

Description

React Router is a router for React. In @remix-run/react versions 1.15.0 through 2.17.0. and react-router versions 7.0.0 through 7.8.2, a XSS vulnerability exists in in React Router's meta()/<Meta> APIs in Framework Mode when generating script:ld+json tags which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the tag. There is no impact if the application is being used in Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>). This issue has been patched in @remix-run/react version 2.17.1 and react-router version 7.9.0.

Exploits (1)

nomisec WRITEUP

by boroeurnprach · poc

https://github.com/boroeurnprach/CVE-2025-59057-PoC

View Code ZIP pw:eip

References (1)

[Third Party Advisory] https://github.com/remix-run/react-router/security/advisories/GHSA-3cgp-3xvw-98x8

Scores

CVSS v3 7.6

EPSS 0.0002

EPSS Percentile 5.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

Details

CWE

CWE-79

Status published

Products (4)

npm/react-router 7.0.0 - 7.9.0npm

remix-run/react 1.15.0 - 2.17.1npm

shopify/react-router 7.0.0 - 7.8.2

shopify/remix-run\/react 1.15.0 - 2.17.0

Published Jan 10, 2026

Tracked Since Feb 18, 2026