Security Update: Multiple vulnerabilities in React Router and Remix
January 19, 2026
The React Router team has disclosed six security vulnerabilities affecting React Router and Remix. Here’s what Netlify customers need to know.
Vulnerabilities
| Vulnerability | Remix versions | React Router versions & modes |
|---|---|---|
| CVE-2025-61686 - Path traversal | ≤2.17.1 | 7.0.0–7.9.3 All modes |
| CVE-2025-68470 - Open redirect | - | 6.0.0–6.30.1, 7.0.0–7.9.5 All modes |
| CVE-2026-22030 - CSRF | ≤2.17.2 | 7.0.0–7.11.0 Framework only |
| CVE-2025-59057 - Meta XSS | 1.15.0–2.17.0 | 7.0.0–7.8.2 Framework only |
| CVE-2026-22029 - Redirect XSS | ≤2.17.3 | 6.0.0–6.30.2, 7.0.0–7.11.0 Framework, Data |
| CVE-2026-21884 - ScrollRestoration XSS | ≤2.17.2 | 7.0.0–7.11.0 Framework only |
Impact on Netlify
CVE-2025-61686 (path traversal)
This vulnerability affects @react-router/node, @remix-run/node, and @remix-run/deno. These packages are not used on Netlify, therefore Netlify projects are not affected.
CVE-2025-68470 (open redirect)
Apps with unsafe uses of React Router navigation APIs may be hijacked to redirect to arbitrary origins.
Regardless of hosting provider, all apps constructing paths from untrusted user input may be vulnerable.
CVE-2026-22030 (CSRF)
Actions and experimental RSC Server Functions can be triggered by cross-origin form submissions, allowing an attacker to execute actions on behalf of authenticated users.
Regardless of hosting provider, all apps may be vulnerable.
CVE-2025-59057, CVE-2026-22029, and CVE-2026-21884 (XSS)
These are cross-site scripting (XSS) vulnerabilities. For example, in CVE-2026-22029 actions and experimental RSC Server Functions performing a redirect to a path constructed from untrusted user input may be hijacked to execute arbitrary JavaScript in the browser.
Regardless of hosting provider, all apps passing untrusted data into certain APIs may be vulnerable. (The Remix team has left this intentionally vague.)
What should I do?
If any of your projects are using any affected version listed above, we strongly recommend upgrading as soon as possible to patched releases:
react-router7.12.0 or later (for React Router 7.x)react-router6.30.2 or later (for React Router 6.x)@remix-run/react2.17.4 or later@remix-run/server-runtime2.17.4 or later
Note that any publicly available deploy previews and branch deploys may remain vulnerable until they are automatically deleted. Consider deleting these deploys manually.