HIGH 7.6

GHSA-3cgp-3xvw-98x8

React Router has XSS Vulnerability

Details

A XSS vulnerability exists in in React Router's `meta()`/`<Meta>` APIs in [Framework Mode](https://reactrouter.com/start/modes#framework) when generating `script:ld+json` tags which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the tag.

> [!NOTE] > This does not impact applications using [Declarative Mode](https://reactrouter.com/start/modes#declarative) (`<BrowserRouter>`) or [Data Mode](https://reactrouter.com/start/modes#data) (`createBrowserRouter`/`<RouterProvider>`).

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / react-router

Introduced in: 7.0.0 Fixed in: 7.9.0

Fix npm install react-router@7.9.0

npm / @remix-run/react

Introduced in: 1.15.0 Fixed in: 2.17.1

Fix npm install @remix-run/react@2.17.1

References

https://github.com/remix-run/react-router/security/advisories/GHSA-3cgp-3xvw-98x8 [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2025-59057 [ADVISORY]
https://github.com/remix-run/react-router [PACKAGE]