---
title: "6 new React Router & Remix CVEs: what you need to know"
description: "Six CVEs affecting React Router and Remix have been disclosed. Affected projects should upgrade."
source: "https://www.netlify.com/changelog/2026-01-15-react-router-remix-security-vulnerabilities/"
last_updated: "2026-07-02T20:44:12.000Z"
---
The React Router team has disclosed six security vulnerabilities affecting React Router and Remix. Here’s what Netlify customers need to know.

## Vulnerabilities

Vulnerability

Remix versions

React Router versions & modes

[CVE-2025-61686](https://github.com/remix-run/react-router/security/advisories/GHSA-9583-h5hc-x8cw) - Path traversal

≤2.17.1

7.0.0–7.9.3  
All modes

[CVE-2025-68470](https://github.com/remix-run/react-router/security/advisories/GHSA-9jcx-v3wj-wh4m) - Open redirect

\-

6.0.0–6.30.1, 7.0.0–7.9.5  
All modes

[CVE-2026-22030](https://github.com/remix-run/react-router/security/advisories/GHSA-h5cw-625j-3rxh) - CSRF

≤2.17.2

7.0.0–7.11.0  
Framework only

[CVE-2025-59057](https://github.com/remix-run/react-router/security/advisories/GHSA-3cgp-3xvw-98x8) - Meta XSS

1.15.0–2.17.0

7.0.0–7.8.2  
Framework only

[CVE-2026-22029](https://github.com/remix-run/react-router/security/advisories/GHSA-2w69-qvjg-hvjx) - Redirect XSS

≤2.17.3

6.0.0–6.30.2, 7.0.0–7.11.0  
Framework, Data

[CVE-2026-21884](https://github.com/remix-run/react-router/security/advisories/GHSA-8v8x-cx79-35w7) - ScrollRestoration XSS

≤2.17.2

7.0.0–7.11.0  
Framework only

## Impact on Netlify

### CVE-2025-61686 (path traversal)

This vulnerability affects `@react-router/node`, `@remix-run/node`, and `@remix-run/deno`. These packages are not used on Netlify, therefore **Netlify projects are not affected**.

### CVE-2025-68470 (open redirect)

Apps with unsafe uses of React Router navigation APIs may be hijacked to redirect to arbitrary origins.

**Regardless of hosting provider, all apps constructing paths from untrusted user input may be vulnerable.**

### CVE-2026-22030 (CSRF)

Actions and experimental RSC Server Functions can be triggered by cross-origin form submissions, allowing an attacker to execute actions on behalf of authenticated users.

**Regardless of hosting provider, all apps may be vulnerable.**

### CVE-2025-59057, CVE-2026-22029, and CVE-2026-21884 (XSS)

These are cross-site scripting (XSS) vulnerabilities. For example, in CVE-2026-22029 actions and experimental RSC Server Functions performing a redirect to a path constructed from untrusted user input may be hijacked to execute arbitrary JavaScript in the browser.

**Regardless of hosting provider, all apps passing untrusted data into certain APIs may be vulnerable.** (The Remix team has left this intentionally vague.)

## What should I do?

If any of your projects are using any affected version listed above, we strongly recommend upgrading as soon as possible to patched releases:

-   `react-router` 7.12.0 or later (for React Router 7.x)
-   `react-router` 6.30.2 or later (for React Router 6.x)
-   `@remix-run/react` 2.17.4 or later
-   `@remix-run/server-runtime` 2.17.4 or later

Note that any publicly available deploy previews and branch deploys may remain vulnerable until they are [automatically deleted](https://docs.netlify.com/deploy/manage-deploys/manage-deploys-overview/#automatic-deploy-deletion). Consider [deleting these deploys manually](https://docs.netlify.com/deploy/manage-deploys/manage-deploys-overview/#manual-deploy-deletion-through-the-netlify-ui).