CVE-2026-34077: React Router XSS in RSC Redirect Handling – Patch Guidance
React Router versions 7.7.0 through 7.13.1 contain a client-side Cross-Site Scripting (XSS) vulnerability when using the unstable React Server Components (RSC) APIs. If an application accepts redirect parameters from untrusted sources and processes them through React Router's RSC redirect handling, an attacker could inject malicious scripts that execute in users' browsers. The vulnerability does not affect applications that do not use the unstable RSC APIs. Shopify's React Router package released patch version 7.13.2 to address this issue.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-770
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-02 / 2026-06-17
NVD description (verbatim)
React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components (RSC) APIs, there is a potential client-side Cross-Site Scripting (XSS) vulnerability in the RSC redirect handling if redirects come from untrusted sources. This does not impact applications that are not using the unstable RSC APIs in React Router. This is patched in version 7.13.2.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in React Router's handling of redirects within the experimental React Server Components feature set. When redirect destinations originate from untrusted input—such as user-supplied query parameters or external data—insufficient sanitization allows arbitrary JavaScript injection into the client-side redirect execution flow. The flaw is specific to RSC implementations and does not impact traditional React Router routing patterns. CWE-770 classification indicates an uncontrolled resource consumption concern, though the primary manifestation is XSS. Exploitation requires both that an application uses the unstable RSC APIs and that it passes unsanitized redirect values to the affected code paths.
Business impact
Organizations using React Router for server-rendered React applications face potential account compromise, session hijacking, and credential theft if attackers can craft malicious redirect URLs. Affected users may be tricked into visiting attacker-controlled content or have sensitive browser data exfiltrated. For SaaS platforms and internal web applications, this creates direct exposure to phishing-style attacks that appear to originate from legitimate application redirects. Remediation requires swift patching, particularly for customer-facing applications where trust and data security are critical.
Affected systems
React Router versions 7.7.0 through 7.13.1 are affected when the unstable React Server Components APIs are in use. The vulnerability does not impact applications using React Router's standard, stable routing APIs. Turbo Stream packages that depend on vulnerable React Router versions may also require attention depending on their specific dependencies and usage patterns. Organizations should audit their React Router version and confirm whether RSC APIs are actively enabled in their application configuration.
Exploitability
Exploitation requires an attacker to control or influence redirect destinations that flow through React Router's RSC handling. Attack vectors include manipulating query parameters, intercepting redirect logic, or compromising upstream redirect sources. No user interaction beyond following a crafted link is necessary (CVSS vector: AV:N/AC:L/PR:N/UI:N). However, the attacker must have knowledge that the target application uses unstable RSC APIs, which may limit opportunistic exploitation. The vulnerability is not known to be actively exploited in the wild at this time.
Remediation
Update React Router to version 7.13.2 or later. Applications using Turbo Stream should verify their React Router transitive dependency is updated. For environments where immediate patching is infeasible, disable or avoid using the unstable RSC APIs until patches are deployed. Input validation and output encoding on redirect destinations provide defense-in-depth but should not be relied upon as a substitute for patching. Test patched versions in development and staging environments before production deployment.
Patch guidance
Shopify released React Router 7.13.2 on or around the vulnerability publication date (2026-06-02). Update your package.json dependency or equivalent package manager configuration to reference version 7.13.2 or any later 7.x release. Run npm update (or equivalent for your package manager) and verify the upgrade in your lockfile. If your application depends on Turbo Stream, ensure its React Router transitive dependency resolves to the patched version. Recompile and redeploy your application, paying particular attention to server-side rendering and RSC initialization paths.
Detection guidance
Review application code to identify whether React Router's unstable RSC APIs are imported or used (e.g., functions marked with 'unstable_' prefix). Check package-lock.json or yarn.lock for React Router versions 7.7.0–7.13.1. Monitor web server logs and application error tracking for unexpected 30x redirect responses or JavaScript errors originating from redirect handling. Implement Content Security Policy (CSP) headers to restrict inline script execution and reduce XSS impact. Conduct manual code review of any redirect-handling logic that processes external input.
Why prioritize this
This vulnerability merits high priority for organizations using React Router with RSC features because it enables direct client-side code injection with minimal barriers to exploitation. The CVSS 7.5 score reflects the network-accessible nature and lack of authentication requirements. While exploit activity is not yet widespread, the straightforward nature of XSS attacks and the potential for account takeover justify swift remediation. Teams should prioritize patching before expanding RSC usage in production or handling sensitive user data through redirect flows.
Risk score, explained
CVSS 3.1 score of 7.5 (HIGH severity) is derived from a network-accessible attack vector (AV:N), low attack complexity (AC:L), and no privilege or user interaction requirements (PR:N/UI:N). However, the vector indicates 'A:H' (Availability impact High) rather than Integrity impact, which is atypical for an XSS vulnerability. This may reflect the underlying CWE-770 resource exhaustion concern or a conservative scoring approach. The practical business risk—unpatched XSS in a web framework—is well-captured by the HIGH severity rating. Security teams should apply their own organizational risk context; applications handling authentication or payment data warrant immediate patching even if other factors are mitigating.
Frequently asked questions
If we don't use React Server Components, are we affected?
No. This vulnerability is specific to React Router's unstable RSC APIs. If your application uses only standard React Router routing (the stable, widely-used APIs), you are not affected by CVE-2026-34077. Verify your codebase for any imports from unstable_* functions or RSC-specific routing configuration.
Can we mitigate this without upgrading immediately?
Input validation and proper URL encoding on redirect destinations provide some defense-in-depth, but they should not replace patching. Disabling or removing RSC features until you can patch is another option. Content Security Policy headers can limit the impact of XSS but do not eliminate the vulnerability. Patching to 7.13.2 is the definitive fix.
How do we verify that patching was successful?
Confirm React Router version 7.13.2 or later in your package-lock.json or yarn.lock after running npm update. Review your build output or compiled bundle to ensure the patched version is included. Test your application's redirect flows with benign payloads to confirm they function correctly post-patch. Monitor error logs during and after deployment.
Does this affect Turbo Stream applications?
Only if Turbo Stream applications depend on React Router versions 7.7.0–7.13.1 and use its RSC APIs. Check your Turbo Stream dependency chain. After updating React Router, verify Turbo Stream's transitive dependencies are also updated. If Turbo Stream is not directly involved with redirect handling, your risk may be lower, but patching is still recommended for defense-in-depth.
This analysis is based on the vulnerability disclosure as of 2026-06-17. Patch versions, CVSS scores, and affected product lists are sourced from official vendor advisories and the National Vulnerability Database. Security teams should independently verify all patch versions and compatibility with their specific environments before deployment. This explainer is not a substitute for vendor security bulletins or internal risk assessment. SEC.co makes no warranty regarding the completeness or accuracy of remediation guidance in edge-case configurations. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2025-46638HIGHDell BSAFE SSL-J Resource Exhaustion DoS Vulnerability
- CVE-2026-28299HIGHSolarWinds Web Help Desk Denial-of-Service Vulnerability – CVSS 8.2
- CVE-2026-10533MEDIUMOpenShift ResourceQuota Bypass Leads to API Server DoS
- CVE-2026-36499MEDIUMOpen vSwitch Thread Allocation DoS Vulnerability
- CVE-2026-40898MEDIUMquic-go HTTP/3 Trailer Memory Exhaustion DoS
- CVE-2026-40990MEDIUMSpring Cloud Function OOM Denial-of-Service Vulnerability
- CVE-2026-33245HIGHReact Router 7.7.0-7.13.1 RSC XSS Vulnerability – Patch Available
- CVE-2026-42211HIGHReact Router 7.0–7.14.1 Remote Code Execution via Prototype Pollution