HIGH 8.0

GHSA-8646-j5j9-6r62

React Router vulnerable to XSS in unstable RSC redirect handling via javascript: redirect targets

Details

When using React Router v7's unstable RSC APIs, there exists a potential client-side XSS issue in the RSC redirect handling if redirects are coming from untrusted sources

> [!NOTE] > This only impacts your application if you are using the unstable RSC APIs in React Router.

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / react-router

Introduced in: 7.7.0 Fixed in: 7.13.2

Fix npm install react-router@7.13.2

References

https://github.com/remix-run/react-router/security/advisories/GHSA-8646-j5j9-6r62 [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2026-33245 [ADVISORY]
https://github.com/remix-run/react-router [PACKAGE]