chore(deps): update dependency react-router to v7.15.1 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
react-router (source)	7.15.0 → 7.15.1

---

React Router allows a DoS via cache poisoning by forcing SPA mode

CVE-2025-43864 / GHSA-f46r-rw29-r322

More information

Details

Summary

After some research, it turns out that it is possible to force an application to switch to SPA mode by adding a header to the request. If the application uses SSR and is forced to switch to SPA, this causes an error that completely corrupts the page. If a cache system is in place, this allows the response containing the error to be cached, resulting in a cache poisoning that strongly impacts the availability of the application.

Details

The vulnerable header is X-React-Router-SPA-Mode; adding it to a request sent to a page/endpoint using a loader throws an error. Here is the vulnerable code :

To use the header, React-router must be used in Framework mode, and for the attack to be possible the target page must use a loader.

Steps to reproduce

Versions used for our PoC:

• "@​react-router/node": "^7.5.0",
• "@​react-router/serve": "^7.5.0",
• "react": "^19.0.0"
• "react-dom": "^19.0.0"
• "react-router": "^7.5.0"

1. Install React-Router with its default configuration in Framework mode (https://reactrouter.com/start/framework/installation)
2. Add a simple page using a loader (example: routes/ssr)

3. Send a request to the endpoint using the loader (/ssr in our case) adding the following header:

X-React-Router-SPA-Mode: yes

Notice the difference between a request with and without the header;

Normal request

With the header

Impact

If a system cache is in place, it is possible to poison the response by completely altering its content (by an error message), strongly impacting its availability, making the latter impractical via a cache-poisoning attack.

Credits

• Rachid Allam (zhero;)
• Yasser Allam (inzo_)

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/remix-run/react-router/security/advisories/GHSA-f46r-rw29-r322
• https://github.com/remix-run/react-router/commit/c84302972a152d851cf5dd859ff332b354b70111
• https://github.com/remix-run/react-router/blob/e6c53a0130559b4a9bd47f9cf76ea5b08a69868a/packages/react-router/lib/server-runtime/server.ts#L407
• https://nvd.nist.gov/vuln/detail/CVE-2025-43864
• https://github.com/advisories/GHSA-f46r-rw29-r322

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

React Router has XSS Vulnerability

CVE-2025-59057 / GHSA-3cgp-3xvw-98x8

More information

Details

A XSS vulnerability exists in in React Router's meta()/<Meta> APIs in Framework Mode when generating script:ld+json tags which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the tag.

[!NOTE]
This does not impact applications using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).

Severity

• CVSS Score: 7.6 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

References

• https://github.com/remix-run/react-router/security/advisories/GHSA-3cgp-3xvw-98x8
• https://nvd.nist.gov/vuln/detail/CVE-2025-59057
• https://github.com/advisories/GHSA-3cgp-3xvw-98x8

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

React Router has unexpected external redirect via untrusted paths

CVE-2025-68470 / GHSA-9jcx-v3wj-wh4m

More information

Details

An attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate(), <Link>, or redirect(), the app performs a navigation/redirect to an external URL. This is only an issue if developers pass untrusted content into navigation paths in their application code.

Severity

• CVSS Score: 6.5 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

References

• https://github.com/remix-run/react-router/security/advisories/GHSA-9jcx-v3wj-wh4m
• https://nvd.nist.gov/vuln/detail/CVE-2025-68470
• https://github.com/advisories/GHSA-9jcx-v3wj-wh4m

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

React Router SSR XSS in ScrollRestoration

CVE-2026-21884 / GHSA-8v8x-cx79-35w7

More information

Details

A XSS vulnerability exists in in React Router's <ScrollRestoration> API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys.

[!NOTE]
This does not impact applications if developers have disabled server-side rendering in Framework Mode, or if they are using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).

Severity

• CVSS Score: 8.2 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N

References

• https://github.com/remix-run/react-router/security/advisories/GHSA-8v8x-cx79-35w7
• https://nvd.nist.gov/vuln/detail/CVE-2026-21884
• https://github.com/advisories/GHSA-8v8x-cx79-35w7

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

React Router vulnerable to XSS via Open Redirects

CVE-2026-22029 / GHSA-2w69-qvjg-hvjx

More information

Details

React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if developers are creating redirect paths from untrusted content or via an open redirect.

[!NOTE]
This does not impact applications that use Declarative Mode (<BrowserRouter>).

Severity

• CVSS Score: 8.0 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

References

• https://github.com/remix-run/react-router/security/advisories/GHSA-2w69-qvjg-hvjx
• https://nvd.nist.gov/vuln/detail/CVE-2026-22029
• https://github.com/advisories/GHSA-2w69-qvjg-hvjx

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

React Router has CSRF issue in Action/Server Action Request Processing

CVE-2026-22030 / GHSA-h5cw-625j-3rxh

More information

Details

React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route action handlers in Framework Mode, or when using React Server Actions in the new unstable RSC modes.

[!NOTE]
This does not impact your application if you are using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).

Severity

• CVSS Score: 6.5 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N

References

• https://github.com/remix-run/react-router/security/advisories/GHSA-h5cw-625j-3rxh
• https://nvd.nist.gov/vuln/detail/CVE-2026-22030
• https://github.com/advisories/GHSA-h5cw-625j-3rxh

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

React Router allows pre-render data spoofing on React-Router framework mode

CVE-2025-43865 / GHSA-cpj6-fhp6-mr6j

More information

Details

Summary

After some research, it turns out that it's possible to modify pre-rendered data by adding a header to the request. This allows to completely spoof its contents and modify all the values ​​of the data object passed to the HTML. Latest versions are impacted.

Details

The vulnerable header is X-React-Router-Prerender-Data, a specific JSON object must be passed to it in order for the spoofing to be successful as we will see shortly. Here is the vulnerable code :

To use the header, React-router must be used in Framework mode, and for the attack to be possible the target page must use a loader.

Steps to reproduce

Versions used for our PoC:

• "@​react-router/node": "^7.5.0",
• "@​react-router/serve": "^7.5.0",
• "react": "^19.0.0"
• "react-dom": "^19.0.0"
• "react-router": "^7.5.0"

1. Install React-Router with its default configuration in Framework mode (https://reactrouter.com/start/framework/installation)
2. Add a simple page using a loader (example: routes/ssr)
3. Access your page (which uses the loader) by suffixing it with .data. In our case the page is called /ssr:

We access it by adding the suffix .data and retrieve the data object, needed for the header:

4. Send your request by adding the X-React-Router-Prerender-Data header with the previously retrieved object as its value. You can change any value of your data object (do not touch the other values, the latter being necessary for the object to be processed correctly and not throw an error):

As you can see, all values ​​have been changed/overwritten by the values ​​provided via the header.

Impact

The impact is significant, if a cache system is in place, it is possible to poison a response in which all of the data transmitted via a loader would be altered by an attacker allowing him to take control of the content of the page and modify it as he wishes via a cache-poisoning attack. This can lead to several types of attacks including potential stored XSS depending on the context in which the data is injected and/or how the data is used on the client-side.

Credits

• Rachid Allam (zhero;)
• Yasser Allam (inzo_)

Severity

• CVSS Score: 8.2 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

References

• https://github.com/remix-run/react-router/security/advisories/GHSA-cpj6-fhp6-mr6j
• https://github.com/remix-run/react-router/commit/c84302972a152d851cf5dd859ff332b354b70111
• https://github.com/remix-run/react-router/blob/e6c53a0130559b4a9bd47f9cf76ea5b08a69868a/packages/react-router/lib/server-runtime/routes.ts#L87
• https://nvd.nist.gov/vuln/detail/CVE-2025-43865
• https://github.com/advisories/GHSA-cpj6-fhp6-mr6j

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

React Router's same-origin redirect with path starting // causes open redirect via protocol-relative URL reinterpretation

CVE-2026-40181 / GHSA-2j2x-hqr9-3h42

More information

Details

Certain URLs passed to the redirect function can trigger an open redirect to an external domain depending on the level of validation done by the application prior to returning the redirect.

[!NOTE]
This does not impact your React Router application if you are using Declarative Mode (<BrowserRouter>)

Severity

• CVSS Score: 6.6 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

References

• https://github.com/remix-run/react-router/security/advisories/GHSA-2j2x-hqr9-3h42
• https://nvd.nist.gov/vuln/detail/CVE-2026-40181
• https://github.com/advisories/GHSA-2j2x-hqr9-3h42

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE

CVE-2026-42211 / GHSA-49rj-9fvp-4h2h

More information

Details

When using React Router v7 in Framework Mode, there exists a combination of steps that could potentially allow unauthorized RCE through external requests. This first requires the application code to have an existing prototype pollution vulnerability. This can be leveraged into a 2-step attack in which the second step can trigger unauthorized RCE on the remote server.

[!NOTE]
This does not impact your React Router application if you are using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).

Severity

• CVSS Score: 8.1 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

• https://github.com/remix-run/react-router/security/advisories/GHSA-49rj-9fvp-4h2h
• https://nvd.nist.gov/vuln/detail/CVE-2026-42211
• https://github.com/advisories/GHSA-49rj-9fvp-4h2h

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint

CVE-2026-42342 / GHSA-8x6r-g9mw-2r78

More information

Details

There exists a potential DOS attack vector in React Router Framework Mode applications (as well as Remix v2.10.0 - 2.17.4). Certain requests can be crafted to consume disproportionate resources on the server, resulting in response time degredation and/or service unavailability for end users.

[!NOTE]
This does not impact your React Router application if you are using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/remix-run/react-router/security/advisories/GHSA-8x6r-g9mw-2r78
• https://nvd.nist.gov/vuln/detail/CVE-2026-42342
• https://github.com/advisories/GHSA-8x6r-g9mw-2r78

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

React Router vulnerable to Denial of Service via reflected user input in single-fetch

CVE-2026-34077 / GHSA-rxv8-25v2-qmq8

More information

Details

A DoS vulnerability exists in the React Router v7 Framework Mode, as well as Remix v2.9.0+ with Single Fetch enabled. In some scenarios the underlying serialization algorithm can become a bottleneck when encoding specific types of data into server responses. Please upgrade to React Router v7.14.0 or later.

[!NOTE]
This does not impact your React Router application if you are using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/remix-run/react-router/security/advisories/GHSA-rxv8-25v2-qmq8
• https://nvd.nist.gov/vuln/detail/CVE-2026-34077
• https://github.com/remix-run/react-router/commit/59811921d3c7d599077b8cadccdcd65a233165e0
• https://github.com/jacob-ebey/turbo-stream/blob/v2.4.1/src/flatten.ts#L175-L177
• https://github.com/jacob-ebey/turbo-stream/blob/v2.4.1/src/unflatten.ts#L185-L189
• https://github.com/advisories/GHSA-rxv8-25v2-qmq8

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

React Router: Potential CSRF via PUT/PATCH/DELETE document requests

CVE-2026-53663 / GHSA-84g9-w2xq-vcv6

More information

Details

Certain CSRF checks in React Router v7 Framework Mode were insufficient and run on POST requests, but were bypassed on PUT/PATCH/DELETE requests. This is a low severity vulnerability because modern browser protections (CORS preflight, SameSite cookies) already block the cross-origin attack vectors that this missing CSRF check would otherwise gate.

[!NOTE]
This does not impact your React Router application if you are using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).

Severity

• CVSS Score: 3.1 / 10 (Low)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N

References

• https://github.com/remix-run/react-router/security/advisories/GHSA-84g9-w2xq-vcv6
• https://github.com/advisories/GHSA-84g9-w2xq-vcv6

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

remix-run/react-router (react-router)

v7.15.1

Compare Source

Patch Changes

• Update router to operate on fetcher Maps in an immutable manner to avoid delayed React renders from potentially reading an updated but not yet committed Map. This could result in brief flickers in some fetcher-driven optimistic UI scenarios. (#​15028)
• Fix serverLoader() returning stale SSR data when a client navigation aborts pending hydration before the hydration clientLoader resolves (#​15022)
• Fix RouterProvider onError callback not being called for synchronous initial loader errors in SPA mode (#​15039) (#​14942)
• Memoize useFetchers to return a stable identity and only change if fetchers changed (#​15028)
• Internal refactor to consolidate mutation request detection through shared utility (#​15033)

Unstable Changes

⚠️ Unstable features are not recommended for production use

• Add a new unstable_useRouterState() hook that consolidates access to active and pending router states (RFC: #​12358) (#​15017)

  • Data/Framework/RSC only — throws when used without a data router

  • This should allow you to consolidate usages of the following hooks which will likely be deprecated and removed in a future major version

    • useLocation
    • useSearchParams
    • useParams
    • useMatches
    • useNavigationType
    • useNavigation

    let { active, pending } = unstable_useRouterState();
    
    // Active is always populated with the current location
    active.location; // replaces `useLocation()`
    active.searchParams; // replaces `useSearchParams()[0]`
    active.params; // replaces `useParams()`
    active.matches; // replaces `useMatches()`
    active.type; // replaces `useNavigationType()`
    
    // Pending is only populated during a navigation
    pending.location; // replaces `useNavigation().location`
    pending.searchParams; // equivalent to `new URLSearchParams(useNavigation().search)`
    pending.params; // Not directly accessible today
    pending.matches; // Not directly accessible today
    pending.type; // Not directly accessible today
    pending.state; // replaces `useNavigation().state`
    pending.formMethod; // replaces useNavigation().formMethod
    pending.formAction; // replaces useNavigation().formAction
    pending.formEncType; // replaces useNavigation().formEncType
    pending.formData; // replaces useNavigation().formData
    pending.json; // replaces useNavigation().json
    pending.text; // replaces useNavigation().text

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.