CVE-2026-42211

HIGH

React Router 7.0.0-7.14.1 - Framework Mode Deserialization Remote Code Execution

Title source: manual

Description

React Router is a router for React. In versions 7.0.0 through 7.14.1, when using Framework Mode, a combination of steps could potentially allow unauthorized remote code execution (RCE) through external requests. This attack requires the application code to have an existing prototype pollution vulnerability, which can then be leveraged in a 2-step attack where the second step triggers unauthorized RCE on the remote server. This does not impact applications using Declarative Mode (`<BrowserRouter>`) or Data Mode (`createBrowserRouter/<RouterProvider>`). This is patched in version 7.14.2.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/remix-run/react-router/security/advisories/GHSA-49rj-9fvp-4h2h

Scores

CVSS v3 8.1

EPSS 0.0037

EPSS Percentile 29.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-502

Status published

Products (3)

npm/react-router 7.0.0 - 7.14.2npm

remix-run/react-router >= 7.0.0, < 7.14.2

shopify/react-router 7.0.0 - 7.14.2

Published Jun 02, 2026

Tracked Since Jun 03, 2026