Security update: multiple vulnerabilities in React Router
June 2, 2026
The React Router team has disclosed seven security vulnerabilities. Here’s what Netlify customers need to know.
Vulnerabilities
| Vulnerability | Package | Affected versions | Fixed in |
|---|---|---|---|
GHSA-8x6r-g9mw-2r78 — DoS via __manifest endpoint | react-router | 7.0.0–7.14.x | 7.15.0 |
| GHSA-rxv8-25v2-qmq8 — DoS via single-fetch request body | react-router | 7.0.0–7.13.x | 7.14.0 |
GHSA-8646-j5j9-6r62 — XSS via javascript: redirect in unstable RSC | react-router | 7.7.0–7.13.1 | 7.13.2 |
| GHSA-49rj-9fvp-4h2h — RCE when chained with prototype pollution | react-router | 7.5.2–7.14.1 | 7.14.2 |
| GHSA-2j2x-hqr9-3h42 — Protocol-relative open redirect | react-router | 7.0.0–7.14.0 | 7.14.1 |
| GHSA-f22v-gfqf-p8f3 — Stored XSS in prerendered redirect HTML | @react-router/dev | 7.0.0–7.13.1 | 7.13.2 |
| GHSA-84g9-w2xq-vcv6 — CSRF check bypassed for PUT/PATCH/DELETE | react-router | 7.12.0–7.15.0 | 7.15.1 |
Impact on Netlify
GHSA-8x6r-g9mw-2r78 and GHSA-rxv8-25v2-qmq8 (denial of service)
These are server-side denial-of-service (DoS) vulnerabilities. On Netlify, these have minimal impact: our autoscaling serverless architecture means that a malicious request resulting in a crashed or hung function does not affect other requests. However, active exploitation could increase your function costs.
GHSA-8646-j5j9-6r62 (XSS in unstable RSC)
This vulnerability affects apps using the experimental unstable_* RSC APIs where an attacker can control a redirect target. Only apps using these unstable APIs are affected.
Regardless of hosting provider, affected apps passing untrusted input into RSC redirect calls may be vulnerable.
GHSA-49rj-9fvp-4h2h (RCE when chained)
This vulnerability is not directly exploitable against React Router alone. Reaching the vulnerable code path requires the application to first be independently vulnerable to a prototype pollution attack.
GHSA-2j2x-hqr9-3h42 (open redirect)
Apps that redirect users to attacker-supplied URLs with the intent to restrict them to the same origin may inadvertently allow protocol-relative redirects to external origins.
Regardless of hosting provider, all affected apps passing untrusted input to redirect() may be vulnerable.
GHSA-f22v-gfqf-p8f3 (stored XSS in prerendering)
This vulnerability affects apps using the prerendering feature (prerender: [...] in react-router.config.ts). If any redirect target baked into a prerendered build originates from external or attacker-controlled data, the static artifact remains affected until a fresh build is run with a patched version.
Regardless of hosting provider, all affected apps using prerendering with externally sourced redirect targets may be vulnerable.
GHSA-84g9-w2xq-vcv6 (CSRF bypass for PUT/PATCH/DELETE)
The CSRF origin check introduced in React Router 7.12.0 only applied to POST requests on the document-request path, leaving PUT, PATCH, and DELETE unchecked. In practice, exploitation additionally requires the app to have explicitly opened CORS for those methods and to be issuing session cookies with SameSite=None.
Regardless of hosting provider, this only poses a meaningful risk in apps with permissive cross-origin configurations.
What should I do?
We strongly recommend upgrading as soon as possible to patched releases:
react-router7.15.1 or later@react-router/dev7.13.2 or later (if using prerendering)
If your app uses prerendering, trigger a fresh build after upgrading to regenerate any affected static assets.
Note that any publicly available deploy previews and branch deploys may remain vulnerable until they are automatically deleted. Consider deleting these deploys manually.