HIGH 8.2

GHSA-8v8x-cx79-35w7

React Router SSR XSS in ScrollRestoration

Details

A XSS vulnerability exists in in React Router's `<ScrollRestoration>` API in [Framework Mode](https://reactrouter.com/start/modes#framework) when using the `getKey`/`storageKey` props during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys.

> [!NOTE] > This does not impact applications if developers have [disabled server-side rendering](https://reactrouter.com/how-to/spa) in Framework Mode, or if they are using [Declarative Mode](https://reactrouter.com/start/modes#declarative) (`<BrowserRouter>`) or [Data Mode](https://reactrouter.com/start/modes#data) (`createBrowserRouter`/`<RouterProvider>`).

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / react-router

Introduced in: 7.0.0 Fixed in: 7.12.0

Fix npm install react-router@7.12.0

npm / @remix-run/react

Introduced in: 0 Fixed in: 2.17.3

Fix npm install @remix-run/react@2.17.3

Details

Are you affected?

Affected packages

References