HIGH 8.0

CVE-2026-33245: React Router 7.7.0-7.13.1 RSC XSS Vulnerability – Patch Available

React Router, a widely-used routing library for React applications, contains a cross-site scripting (XSS) vulnerability in its experimental React Server Components (RSC) feature. Versions 7.7.0 through 7.13.1 are affected. If an attacker can influence redirect instructions sent to your application—for example, through a compromised backend endpoint or man-in-the-middle scenario—malicious code could execute in users' browsers. The vulnerability is limited to applications actively using the unstable RSC APIs; standard React Router implementations are not impacted. A patch is available in version 7.13.2.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.0 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
Weaknesses (CWE)
CWE-79
Affected products
1 configuration(s)
Published / Modified
2026-06-02 / 2026-06-17

NVD description (verbatim)

React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components (RSC) APIs, there is a potential client-side Cross-Site Scripting (XSS) vulnerability in the RSC redirect handling if redirects come from untrusted sources. This does not impact applications that are not using the unstable RSC APIs in React Router. This is patched in version 7.13.2.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from insufficient input validation in React Router's RSC redirect handling mechanism. When redirect responses originate from untrusted sources, the library fails to properly sanitize or validate the redirect target before processing it client-side, creating a vector for injected JavaScript execution. The attack surface is constrained by the requirement that redirects must reach the client via the RSC layer, and the attacker must control or intercept the source delivering redirect instructions. The CVSS 3.1 score of 8.0 reflects high impact (confidentiality and integrity compromise) tempered by the AC:H (attack complexity: high) rating, indicating successful exploitation requires specific conditions aligned with the redirect flow.

Business impact

For organizations deploying React applications with RSC enabled, a successful exploit could lead to session hijacking, credential theft, or injection of malware into the user's session. The scope is marked as 'Changed,' meaning the vulnerability can affect resources beyond the vulnerable component—for instance, redirects could steal authentication tokens or exfiltrate sensitive data from the page context. Applications not using RSC are unaffected, limiting the overall blast radius. Teams relying on React Router for full-stack RSC patterns should treat this as a near-term remediation priority.

Affected systems

Shopify's React Router library versions 7.7.0 through 7.13.1 are vulnerable. The vulnerability only manifests in applications that have explicitly integrated and enabled the unstable RSC APIs provided by React Router. Standard client-side routing in React Router remains unaffected. Organizations should audit their React Router deployment to determine if RSC features are in use.

Exploitability

While the attack requires high complexity—the attacker must either control a redirect source (e.g., a backend endpoint) or conduct a network-level interception—the requirement for user interaction (UI:R) is met by normal browsing. The network accessibility (AV:N) means the attack can be mounted remotely. This is not a trivial exploit, but it is feasible in supply-chain scenarios, compromised backend services, or environments with weak network controls.

Remediation

Upgrade React Router to version 7.13.2 or later. This update includes input validation and sanitization improvements for RSC redirect handling. Before upgrading, confirm whether your application uses the unstable RSC APIs; if it does not, the vulnerability poses no risk, though staying current is still a security best practice. Verify the upgrade in a staging environment to ensure compatibility with your application's routing logic.

Patch guidance

Apply React Router version 7.13.2 as the minimum fix. Review your package.json and lock files to confirm the exact version in use. Use npm or yarn to update: 'npm update [email protected]' or 'yarn upgrade [email protected]'. Test thoroughly in staging, particularly any flows involving server-side redirects or dynamic redirect targets. If you are on a version prior to 7.7.0, no action is required for this specific vulnerability, but consider modernizing your React Router version for security and feature benefits.

Detection guidance

Monitor your application logs for unusual redirect targets or patterns in redirect responses, particularly those containing JavaScript: protocol handlers or event attributes. Use Content Security Policy (CSP) headers to restrict script execution sources—a strict CSP can mitigate XSS impact even if a redirect is compromised. Consider network segmentation to reduce the likelihood of man-in-the-middle interception of redirect instructions. Automated dependency scanning tools (npm audit, Snyk, Dependabot) should flag this vulnerability in any project with affected React Router versions in use.

Why prioritize this

This vulnerability merits rapid attention for teams using RSC APIs due to the HIGH severity rating and direct XSS impact. However, the requirement for high attack complexity and the limited scope (RSC-only) means it does not rise to the absolute top tier. Organizations should prioritize this within a week if RSC is in production; those not using RSC can defer to routine update cycles. The lack of active exploitation (KEV status: not listed) suggests patch availability is ahead of active threats, creating a favorable window for remediation.

Risk score, explained

The CVSS 8.0 score reflects a High severity vulnerability with significant potential for user harm (confidentiality and integrity impact) balanced against the requirement for high attack complexity and non-default configuration (RSC APIs). The user interaction requirement and changed scope further contextualize the risk—an attacker cannot exploit this without either controlling a redirect source or intercepting traffic, and the impact extends beyond the library itself. For organizations with RSC enabled, this is a genuine high-risk finding; for others, it is a non-issue.

Frequently asked questions

Do I need to patch if I'm not using React Server Components (RSC) APIs?

No. This vulnerability is specific to applications that have explicitly enabled and are using React Router's unstable RSC APIs. If you are using standard React Router client-side routing, you are not affected. You can verify your codebase by searching for RSC-specific imports or configurations in your React Router setup.

Can this vulnerability be exploited without network compromise?

The vulnerability requires the attacker to either control a source of redirect instructions (such as a compromised backend) or intercept network traffic (man-in-the-middle). It is not exploitable purely through browser-based attacks or by a user simply visiting a malicious website. However, in environments with weak network segmentation or untrusted internal services, the risk is elevated.

Will upgrading to 7.13.2 break my application?

Version 7.13.2 is a patch release focused on security; breaking changes are unlikely. That said, you should test in a staging environment before deploying to production. Review the React Router release notes to confirm compatibility with your specific version and any custom redirect logic.

What is the difference between a 'High' and 'Critical' severity rating here?

The CVSS 8.0 score (High) reflects the combination of high impact potential tempered by high attack complexity and a non-default configuration requirement. A 'Critical' rating typically indicates immediate exploit availability, no user interaction required, or impact to unauthenticated users at scale. The attack complexity and RSC-only scope prevent this from reaching Critical, even though the core XSS risk is severe for affected applications.

This analysis is based on the published CVE record and vendor advisory as of the modification date (2026-06-17). Security conditions and threat landscape may change; consult Shopify's official React Router security advisories and your internal security team for the most current guidance. This vulnerability does not appear on the CISA Known Exploited Vulnerabilities (KEV) list as of publication; however, absence from KEV does not guarantee absence of active exploitation. Verify all patch versions and compatibility against your vendor's official releases before deployment. SEC.co makes no warranty regarding the completeness or accuracy of this analysis. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).