GCVE - cpe:2.3:a:shopify:react-router:*:*:*:*:*:node.js:*:*

Approved changes feed: RSS · Atom

cpe:2.3:a:shopify:react-router:*:*:*:*:*:node.js:*:*

part: a version: * update: *

Vendor	Shopify (`b22c83ee-33c3-5cbf-82e4-8727c9195011`)
Product	React Router (`e7e4f363-dfdb-5f2d-9da0-7c01a40b9639`)
Edition	*
Language	*
Software edition	*
Target software	node.js
Target hardware	*
Other	*
Notes	Imported from gcve-enriched-dumps CVE data

PURL mappings

PURL	Source	Last updated
No PURL mappings for this CPE yet.

Vulnerability references

Identifier	cpeApplicability	Submitted	db.gcve.eu details	Rationale
`CVE:CVE-2026-22030`	vulnerable	2026-06-03 15:15:52.614062	React Router has CSRF issue in Action/Server Action Request Processing MEDIUM (6.5) React Router is a router for React. In @remix-run/server-runtime version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route action handlers in Framework Mode, or when using React Server Actions in the new unstable RSC modes. There is no impact if Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) is being used. This issue has been patched in @remix-run/server-runtime version 2.17.3 and react-router version 7.12.0. Published: 2026-01-10T02:42:44.603Z Updated: 2026-01-12T18:09:39.441Z Open on db.gcve.eu Reference links https://github.com/remix-run/react-router/security/advisories/GHSA-h5cw-625j-3rxh	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2026-22029`	vulnerable	2026-06-03 15:15:52.613699	React Router vulnerable to XSS via Open Redirects HIGH (8) React Router is a router for React. In @remix-run/router version prior to 1.23.2 and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if you are creating redirect paths from untrusted content or via an open redirect. There is no impact if Declarative Mode (<BrowserRouter>) is being used. This issue has been patched in @remix-run/router version 1.23.2 and react-router version 7.12.0. Published: 2026-01-10T02:42:32.736Z Updated: 2026-06-02T16:58:42.516Z Open on db.gcve.eu Reference links https://github.com/remix-run/react-router/security/advisories/GHSA-2w69-qvjg-hvjx	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2026-21884`	vulnerable	2026-06-03 15:15:51.802223	React Router SSR XSS in ScrollRestoration HIGH (8.2) React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, a XSS vulnerability exists in in React Router's <ScrollRestoration> API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys. There is no impact if server-side rendering in Framework Mode is disabled, or if Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) is being used. This issue has been patched in @remix-run/react version 2.17.3 and react-router version 7.12.0. Published: 2026-01-10T02:41:44.944Z Updated: 2026-02-26T15:04:51.084Z Open on db.gcve.eu Reference links https://github.com/remix-run/react-router/security/advisories/GHSA-8v8x-cx79-35w7	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2025-68470`	vulnerable	2026-06-03 15:11:03.259642	React Router has unexpected external redirect via untrusted paths MEDIUM (6.5) React Router is a router for React. In versions 6.0.0 through 6.30.1 and 7.0.0 through 7.9.5, an attacker-supplied path can be crafted so that when a React Router application navigates to it via navigate(), <Link>, or redirect(), the app performs a navigation/redirect to an external URL. This is only an issue if you are passing untrusted content into navigation paths in your application code. This issue has been patched in versions 6.30.2 and 7.9.6. Published: 2026-01-10T02:39:41.078Z Updated: 2026-01-12T18:17:43.794Z Open on db.gcve.eu Reference links https://github.com/remix-run/react-router/security/advisories/GHSA-9jcx-v3wj-wh4m	Imported from gcve-enriched-dumps CVE data
`CVE:CVE-2025-59057`	vulnerable	2026-06-03 15:06:23.458062	React Router has XSS Vulnerability HIGH (7.6) React Router is a router for React. In @remix-run/react versions 1.15.0 through 2.17.0. and react-router versions 7.0.0 through 7.8.2, a XSS vulnerability exists in in React Router's meta()/<Meta> APIs in Framework Mode when generating script:ld+json tags which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the tag. There is no impact if the application is being used in Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>). This issue has been patched in @remix-run/react version 2.17.1 and react-router version 7.9.0. Published: 2026-01-10T02:40:25.142Z Updated: 2026-01-12T18:12:43.462Z Open on db.gcve.eu Reference links https://github.com/remix-run/react-router/security/advisories/GHSA-3cgp-3xvw-98x8	Imported from gcve-enriched-dumps CVE data

Contribute

You can submit an edit proposal for this CPE entry or suggest a related product/vendor addition using the action button above.