CVE-2025-59057

HIGH

React Router 7.0.0-7.8.2 & @remix-run/react 1.15.0-2.17.0 XSS via meta()/<Meta> APIs

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2025-59057. PoCs published by boroeurnprach.

AI-analyzed exploit summary The repository describes a XSS vulnerability in React Router's `meta()/<Meta>` APIs during SSR when generating `script:ld+json` tags. However, the provided code snippets do not include an actual exploit or PoC, only configuration files and a README describing the vulnerability.

Description

React Router is a router for React. In @remix-run/react versions 1.15.0 through 2.17.0. and react-router versions 7.0.0 through 7.8.2, a XSS vulnerability exists in in React Router's meta()/<Meta> APIs in Framework Mode when generating script:ld+json tags which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the tag. There is no impact if the application is being used in Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>). This issue has been patched in @remix-run/react version 2.17.1 and react-router version 7.9.0.

Exploits (1)

nomisec WRITEUP

by boroeurnprach · poc

https://github.com/boroeurnprach/CVE-2025-59057-PoC

View Code ZIP pw:eip

The repository describes a XSS vulnerability in React Router's `meta()/<Meta>` APIs during SSR when generating `script:ld+json` tags. However, the provided code snippets do not include an actual exploit or PoC, only configuration files and a README describing the vulnerability.

Classification

Writeup 80%

Attack Type

Xss

Complexity

Moderate

Reliability

Theoretical

Target: React Router (Framework Mode)

No auth needed

Prerequisites: Server-side rendering (SSR) enabled · Untrusted content used in `meta()/<Meta>` APIs

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (1)

Core 1

Core References

Third Party Advisory x_refsource_confirm

https://github.com/remix-run/react-router/security/advisories/GHSA-3cgp-3xvw-98x8

Scores

CVSS v3 7.6

EPSS 0.0001

EPSS Percentile 1.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (4)

npm/react-router 7.0.0 - 7.9.0npm

remix-run/react 1.15.0 - 2.17.1npm

shopify/react-router 7.0.0 - 7.8.2

shopify/remix-run\/react 1.15.0 - 2.17.0

Published Jan 10, 2026

Tracked Since Feb 18, 2026