HIGH 7.5

GHSA-8x6r-g9mw-2r78

React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint

Details

There exists a potential DOS attack vector in React Router Framework Mode applications (as well as Remix v2.10.0 - 2.17.4). Certain requests can be crafted to consume disproportionate resources on the server, resulting in response time degredation and/or service unavailability for end users.

> [!NOTE] > This does not impact your React Router application if you are using [Declarative Mode](https://reactrouter.com/start/modes#declarative) (`<BrowserRouter>`) or [Data Mode](https://reactrouter.com/start/modes#data) (`createBrowserRouter`/`<RouterProvider>`).

Are you affected?

Enter the version of the package you're using.

Affected packages

npm / react-router

Introduced in: 7.0.0 Fixed in: 7.15.0

Fix npm install react-router@7.15.0

npm / @remix-run/server-runtime

Introduced in: 2.10.0 Fixed in: 2.17.5

Fix npm install @remix-run/server-runtime@2.17.5

References

https://github.com/remix-run/react-router/security/advisories/GHSA-8x6r-g9mw-2r78 [WEB]
https://nvd.nist.gov/vuln/detail/CVE-2026-42342 [ADVISORY]
https://github.com/remix-run/react-router [PACKAGE]