CVE-2026-33244: React Router XSS in Framework Mode with Pre-rendering
React Router versions 7.5.1 through 7.13.1 contain a cross-site scripting (XSS) vulnerability when used in Framework Mode with pre-rendering. If your application redirects users to untrusted URLs and generates static HTML files during build time, attackers can inject malicious scripts into those pre-rendered pages. This vulnerability does not affect applications using the more common Declarative Mode or Data Mode routing approaches. The issue has been fixed in version 7.13.2.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
- Weaknesses (CWE)
- CWE-79
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-02 / 2026-06-17
NVD description (verbatim)
React Router is a router for React. In versions 7.5.1 through 7.13.1, when using Framework Mode with pre-rendering enabled, improper neutralization of the HTTP `Location` header value can permit Cross-Site Scripting (XSS) in the statically generated HTML files if the redirect location comes from an untrusted source. This does not impact applications using Declarative Mode (`<BrowserRouter>`) or Data Mode (`createBrowserRouter/<RouterProvider>`). This is patched in version 7.13.2.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from improper sanitization of the HTTP Location header when Framework Mode processes redirects during the pre-rendering phase. When a redirect target originates from an untrusted source—such as user input or external data—the Location header value is not adequately neutralized before being embedded into statically generated HTML. This allows an attacker to craft a malicious redirect URL containing JavaScript payloads (e.g., `javascript:alert(1)` or data URIs) that execute in the context of the pre-rendered page. The flaw is specific to Framework Mode's static generation pipeline and does not manifest in Declarative Mode (`<BrowserRouter>`) or Data Mode (`createBrowserRouter/<RouterProvider>`), both of which handle runtime routing without the same pre-rendering constraints.
Business impact
Teams relying on React Router's Framework Mode with static pre-rendering for performance or hosting optimization face a supply-chain risk: compromised or malicious redirect data baked into production HTML at build time can serve XSS payloads to end users without requiring runtime exploitation. This is particularly concerning for applications that accept redirect parameters from query strings, APIs, or user-controlled sources. Affected organizations must patch before deploying new builds or re-rendering existing static assets. The Medium CVSS score (5.4) reflects that exploitation requires user interaction and valid authentication to the application.
Affected systems
Only Shopify's React Router library versions 7.5.1 through 7.13.1 are affected, and only when Framework Mode is explicitly configured with pre-rendering enabled. Applications using Declarative Mode or Data Mode are unaffected. Organizations should audit their React Router configuration to confirm which routing mode is in use.
Exploitability
Exploitation requires three conditions: (1) use of Framework Mode with pre-rendering, (2) a redirect target derived from an untrusted source at build time, and (3) a user clicking a link to or visiting the pre-rendered page. The attack surface is limited to applications that dynamically generate redirects during static site generation, making this a niche but serious risk for certain use cases. No known public exploits exist, and the vulnerability is not yet tracked in the CISA Known Exploited Vulnerabilities catalog.
Remediation
Upgrade React Router to version 7.13.2 or later as soon as feasible. For applications on vulnerable versions, perform a full rebuild and static asset regeneration after patching to ensure pre-rendered HTML files no longer contain the unmitigated Location header values. Review any redirect logic in Framework Mode to confirm that redirect targets are validated or hardcoded rather than sourced from user input or untrusted APIs.
Patch guidance
Update the react-router package to version 7.13.2 or later via your package manager (npm, yarn, pnpm). After updating, rebuild your static assets or run your pre-rendering pipeline to regenerate HTML files with the patched code. Verify the update in your lock file and test redirect behavior in a staging environment before production deployment. Check the official Shopify React Router repository and release notes to confirm patch availability and any migration notes.
Detection guidance
Inspect your package.json and lock files for react-router versions 7.5.1–7.13.1. If found, confirm your routing configuration: check for `frameWorks` or `framework` mode setup and pre-rendering or static generation configuration. Review build logs and generated HTML files for evidence of pre-rendering. Monitor application logs for unusual redirect patterns or XSS attempts targeting redirect parameters. Use standard web application firewall (WAF) rules to detect JavaScript payloads in HTTP Location headers or query parameters.
Why prioritize this
Although rated Medium severity, this vulnerability should be addressed promptly because: (1) it affects the build-time artifact layer, meaning fixes persist across deployments, (2) organizations using Framework Mode with pre-rendering often serve high-traffic static content, and (3) patching is straightforward and low-risk. However, if your application does not use Framework Mode or does not accept untrusted redirect sources, remediation can be deferred in favor of higher-impact vulnerabilities.
Risk score, explained
The CVSS 3.1 score of 5.4 (Medium) reflects a network-exploitable XSS flaw with low attack complexity and limited scope (stored in pre-rendered HTML). The score is tempered by the requirement for user interaction (UI:R), a valid login (PR:L), and the limited confidentiality and integrity impact (C:L/I:L). The score does not account for the niche use case (Framework Mode + pre-rendering), which further reduces practical exploitability across the broader React ecosystem.
Frequently asked questions
Do all React Router applications need to patch?
No. Only applications explicitly using Framework Mode with pre-rendering enabled are affected. The vast majority of React Router users leverage Declarative Mode or Data Mode and are not vulnerable. Verify your routing configuration in your application's setup files.
What if we use Framework Mode but do not perform static pre-rendering?
If Framework Mode is configured without pre-rendering or static generation, the vulnerability does not apply. However, confirm that pre-rendering is truly disabled in your build configuration and that no third-party tools are generating static HTML independently.
Can we mitigate this without upgrading?
Partial mitigation is possible by strictly validating and sanitizing all redirect targets to ensure they do not contain JavaScript protocols or data URIs before passing them to the routing system. However, patching to version 7.13.2+ is the recommended permanent solution.
Will patching break our application?
Patching to version 7.13.2 is a security update and should not introduce breaking changes. However, always test in a staging environment first to confirm compatibility with your specific Framework Mode and pre-rendering setup.
This analysis is provided for informational purposes and based on the published vulnerability details as of the date of this report. Security teams should verify all patch versions, CVSS scores, and affected product versions against official vendor advisories and their own environment inventories before taking remedial action. SEC.co does not provide exploit code or weaponized proof-of-concepts. Organizations are responsible for assessing the applicability of this vulnerability to their specific configurations and for validating patches in pre-production environments. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-33245HIGHReact Router 7.7.0-7.13.1 RSC XSS Vulnerability – Patch Available
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2019-25731MEDIUMStored XSS in Zuz Music 2.1 Contact Form
- CVE-2019-25737MEDIUMStored XSS in Live Chat Unlimited 2.8.3 – Admin Session Compromise
- CVE-2019-25739MEDIUMGigToDo 1.3 Stored XSS Vulnerability in Proposal Descriptions
- CVE-2019-25742MEDIUMStored XSS in Zoner Real Estate WordPress Theme 4.1.1 – Admin Account Compromise Risk
- CVE-2019-25743MEDIUMWordPress Soliloquy Lite 2.5.6 Stored XSS Vulnerability
- CVE-2019-25744MEDIUMWordPress Popup Builder 3.49 Stored XSS Vulnerability – Exploit Prevention & Patch Guide