React Router Flaws Expose Servers to RCE, XSS, and DoS
Multiple vulnerabilities were disclosed in the widely used React Router npm package, including a reported remote code execution issue tracked as CVE-2026-42211 that researchers said could allow unauthenticated attackers to gain shell access when chained with an existing prototype pollution weakness. Additional flaws include CVE-2026-33245, a client-side cross-site scripting bug in redirect handling for applications using unstable React Server Components APIs, plus CVE-2026-34077 and CVE-2026-42342, two denial-of-service issues tied to serialization and manifest endpoint performance that can crash or degrade backend services.
The XSS issue affects React Router versions 7.7.0 through 7.13.1 when redirects originate from untrusted sources and use javascript: targets; applications not using the unstable RSC APIs or running in standard Declarative Mode are not impacted. Maintainers patched CVE-2026-33245 in React Router 7.13.2, while broader mitigation for the full set of reported issues requires upgrading to React Router 7.15.0 or Remix 2.17.5.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Maintainers issue broader React Router and Remix updates
Mitigations for the broader set of disclosed issues were made available by upgrading to React Router 7.15.0 or Remix 2.17.5. The update addressed the newly reported RCE, XSS, and DoS vulnerabilities.
Researchers disclose multiple React Router vulnerabilities
Researchers reported multiple critical React Router vulnerabilities, including RCE flaw CVE-2026-42211, XSS flaw CVE-2026-33245, and DoS issues CVE-2026-34077 and CVE-2026-42342. The report said standard Declarative Mode was not affected.
React Router patches CVE-2026-33245 in version 7.13.2
React Router fixed CVE-2026-33245 in version 7.13.2. The vulnerability could be triggered through javascript: redirect targets from untrusted sources when applications used unstable RSC APIs.
GitHub security advisory received for React Router XSS flaw
The advisory for CVE-2026-33245 was received by security-advisories@github.com. The flaw is a client-side XSS issue in React Router's unstable React Server Components redirect handling affecting versions 7.7.0 through 7.13.1.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical React Server Components Flaws Expose Next.js App Router Deployments
Next.js disclosed a **critical remote code execution** vulnerability affecting applications that use the **App Router**, tracing the issue to the upstream React Server Components protocol as `CVE-2025-55182` and the downstream Next.js impact as `CVE-2025-66478`. The flaw carries a **CVSS 10.0** rating and can be triggered by attacker-controlled requests in unpatched environments, with maintainers warning that **no workaround exists**. Affected releases include multiple `15.x` and `16.x` branches and `14.3.0-canary.77` and later canary builds, while `13.x`, stable `14.x`, **Pages Router** applications, and the **Edge Runtime** were reported as unaffected. Next.js issued patched releases, published the `fix-react2shell-next` npm remediation tool, and advised organizations whose applications were online and unpatched at the disclosed cutoff to **rotate secrets after patching**. The company later reported two additional upstream React Server Components issues with downstream impact on Next.js App Router deployments: `CVE-2025-55184`, a **high-severity denial-of-service** flaw that can hang the server process through a crafted HTTP request, and `CVE-2025-55183`, a **medium-severity source code exposure** bug that can cause a Server Function to return compiled source code from other Server Functions. Next.js said neither new issue enables remote code execution and that the earlier React2Shell mitigation remains effective, but it also acknowledged that the initial fix for `CVE-2025-55184` was incomplete and was superseded by `CVE-2025-67779`, forcing some users to upgrade again. The affected range spans App Router deployments from `13.3` across several `14.x`, `15.x`, and `16.x` release lines, and the vendor again said **Pages Router** applications are not affected and urged immediate upgrades to the latest patched versions.
Mar 31, 2026
Denial-of-Service and Source Code Exposure Vulnerabilities in React Server Components
Multiple vulnerabilities have been identified in React Server Components (RSC), specifically CVE-2025-55183, CVE-2025-55184, and CVE-2025-67779, affecting several versions of `react-server-dom-webpack`, `react-server-dom-parcel`, and `react-server-dom-turbopack`. These vulnerabilities, discovered following the React2Shell incident, include a high-severity denial-of-service (DoS) flaw (CVE-2025-55184) caused by unsafe deserialization of structured input in the RSC Flight protocol, which can be exploited by sending specially crafted requests that trigger infinite loops or event-loop lockups on the server. The vulnerabilities also raise concerns about potential source code exposure and highlight the risk of residual flaws being discovered after major disclosures. The React Foundation has issued advisories and patches for affected versions, and the Canadian Centre for Cyber Security has urged administrators to update impacted libraries and frameworks, including popular tools such as Next.js, Vite RSC plugin, Parcel RSC plugin, React Router RSC preview, RedwoodSDK, and Waku. No public exploits are currently available, but the vulnerabilities have a higher-than-average likelihood of exploitation, emphasizing the importance of prompt remediation and ongoing vigilance for follow-on issues after initial vulnerability disclosures.
Mar 21, 2026
Next.js Patches App Router Flaws as Middleware Bypass PoCs Spread
Vercel has released a broad set of security fixes for **Next.js** and related **React Server Components**, addressing more than a dozen vulnerabilities affecting App Router deployments across versions 13.x through 16.x and React Server Components 19.x. The disclosures include denial of service, server-side request forgery, cross-site scripting, cache poisoning, and multiple middleware authorization bypass conditions. Among the most serious issues is `CVE-2026-23870` (`GHSA-8h8q-6873-q5fj`), a high-severity denial-of-service flaw in React Flight deserialization that can be triggered through crafted requests to App Router Server Function endpoints, causing excessive CPU consumption; fixes were issued in Next.js `15.5.16` and `16.2.5`. Vercel also disclosed `CVE-2026-44578`, a high-severity SSRF issue in self-hosted Node.js deployments via crafted WebSocket upgrade requests.
May 25, 2026