CVE-2026-42211: React Router 7.0–7.14.1 Remote Code Execution via Prototype Pollution
React Router versions 7.0.0 through 7.14.1 contain a high-severity vulnerability that could enable remote code execution when using Framework Mode. The attack is two-stage: it requires an application to already contain a prototype pollution flaw, which an attacker can then exploit to trigger unauthorized code execution on the server. Applications using the library's Declarative Mode or Data Mode routing are unaffected. The vulnerability was patched in version 7.14.2.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-502
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-02 / 2026-06-17
NVD description (verbatim)
React Router is a router for React. In versions 7.0.0 through 7.14.1, when using Framework Mode, a combination of steps could potentially allow unauthorized remote code execution (RCE) through external requests. This attack requires the application code to have an existing prototype pollution vulnerability, which can then be leveraged in a 2-step attack where the second step triggers unauthorized RCE on the remote server. This does not impact applications using Declarative Mode (`<BrowserRouter>`) or Data Mode (`createBrowserRouter/<RouterProvider>`). This is patched in version 7.14.2.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-42211 is a remote code execution vulnerability in Shopify's React Router (versions 7.0.0–7.14.1) when deployed in Framework Mode. The vulnerability chain originates from a prototype pollution condition present in application code, which an attacker can manipulate through two coordinated external requests to achieve unauthorized RCE on the target server. The issue is rooted in improper deserialization or object manipulation (CWE-502) and does not affect applications using the BrowserRouter component or the RouterProvider-based Data Mode. Remediation requires upgrading to version 7.14.2 or later.
Business impact
Exploitation of this vulnerability could allow attackers to execute arbitrary code on affected web servers, potentially leading to data theft, service disruption, or lateral movement within infrastructure. The high CVSS score (8.1) reflects the severity of unauthorized code execution; however, real-world risk depends on whether deployed applications have a pre-existing prototype pollution flaw. Organizations running React Router in production should assess their routing implementation and any input validation gaps that could enable prototype pollution.
Affected systems
The vulnerability affects Shopify React Router versions 7.0.0 through 7.14.1 when used in Framework Mode. Applications using Declarative Mode (via `<BrowserRouter>`) or Data Mode (via `createBrowserRouter/<RouterProvider>`) are not affected. The attack vector is network-based with high complexity, as it requires an existing application vulnerability to be present before the React Router flaw can be exploited.
Exploitability
Exploitation requires two preconditions: (1) the application must contain a prototype pollution vulnerability, and (2) the application must use React Router's Framework Mode. While the attack vector is network-accessible and does not require authentication or user interaction, the high attack complexity (AC:H in the CVSS vector) reflects the dependency on a pre-existing flaw. No public exploit or CISA KEV listing currently exists, reducing immediate opportunistic attack risk, though organizations should assume sophisticated attackers may develop targeted payloads if prototype pollution flaws are known or discoverable.
Remediation
Upgrade React Router to version 7.14.2 or later. Organizations should simultaneously audit their application code for prototype pollution vulnerabilities—particularly in any user input handling, object merging, or deserialization logic—to eliminate the first stage of the attack chain. If Framework Mode usage is not required, migrating to Declarative or Data Mode eliminates exposure to this specific vulnerability.
Patch guidance
Apply the fix by updating the React Router dependency to version 7.14.2 or newer. Verify the update in package.json or package-lock.json, then rebuild and redeploy the application. Test routing functionality thoroughly in a staging environment before production rollout. Check the Shopify React Router release notes for any breaking changes or migration guidance between your current version and 7.14.2.
Detection guidance
Monitor for incoming requests that attempt to manipulate object prototypes or inject unexpected properties into serialized data passed to React Router. Log and alert on any Framework Mode request patterns that include unusual nested object structures or prototype-related payloads. Implement input validation and sanitization to block prototype pollution attempts. Review application logs for unexpected code execution or unusual process spawning that correlates with Framework Mode route handling. Use static analysis tools to identify prototype pollution vulnerabilities in the codebase before deployment.
Why prioritize this
This vulnerability scores HIGH (8.1 CVSS) due to the impact of remote code execution, though the required presence of a pre-existing prototype pollution flaw limits its attack surface. Organizations should prioritize patching if they (1) use React Router 7.0.0–7.14.1 in Framework Mode, (2) have not yet eliminated prototype pollution flaws in their codebase, or (3) handle untrusted external input. Patch quickly if these conditions apply; lower priority if using non-Framework routing modes or if prototype pollution vectors have been eliminated.
Risk score, explained
The CVSS 3.1 score of 8.1 (HIGH) reflects a network-accessible vulnerability with high impact (confidentiality, integrity, and availability all compromised by code execution), no authentication required, and no user interaction needed. The score moderately penalizes attack complexity (AC:H) because successful exploitation depends on the presence of an application-level prototype pollution vulnerability, which is not guaranteed in all React Router deployments. The score does not account for the rarity of the chaining condition, making it a worst-case assessment.
Frequently asked questions
Does this vulnerability affect our app if we use BrowserRouter or RouterProvider?
No. This vulnerability only impacts React Router's Framework Mode. If your application uses Declarative Mode (BrowserRouter component) or Data Mode (createBrowserRouter with RouterProvider), you are not affected and do not require an urgent patch, though you should still keep React Router up to date for other security and stability improvements.
What is prototype pollution and why does it matter here?
Prototype pollution is a vulnerability that allows an attacker to inject or modify properties on JavaScript object prototypes, potentially altering the behavior of the application. In this case, an attacker exploits a prototype pollution flaw in the application code, then leverages the React Router Framework Mode to escalate that flaw into remote code execution. Fixing both the application-level prototype pollution and upgrading React Router eliminates the attack chain.
Is there a public exploit for this vulnerability?
As of the current date, there is no CISA KEV listing or widely available public exploit code for CVE-2026-42211. However, organizations should not rely on exploit rarity; the vulnerability should be patched promptly because the attack chain is logical and could be weaponized by sophisticated threat actors targeting high-value applications.
Can we mitigate this without upgrading React Router immediately?
Partial mitigation is possible: audit and fix any prototype pollution vulnerabilities in your application code, implement strict input validation, and use a Web Application Firewall (WAF) to block requests with suspicious object structures. However, these are not substitutes for patching. Upgrade to React Router 7.14.2 as soon as practical to eliminate the vulnerability entirely.
This analysis is provided for informational purposes and reflects the vulnerability details as published. CVSS scores, affected versions, and patch information are sourced from the official CVE record. Organizations should verify patch applicability against their specific React Router version and routing mode before deployment. This explainer does not constitute legal or compliance advice. Always test patches in non-production environments first and consult official Shopify security advisories for definitive guidance. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2025-11993HIGHWooCommerce Infinite Scroll Plugin PHP Object Injection – HIGH Severity
- CVE-2026-24221HIGHNVIDIA NVTabular Deserialization Vulnerability – Patch & Detection Guide
- CVE-2026-24237HIGHNVIDIA NVTabular Deserialization Remote Code Execution Vulnerability
- CVE-2026-25551HIGHBarTender 2021–12.0.1 Insecure Deserialization Privilege Escalation
- CVE-2026-37579HIGHSMSGate Remote Code Execution via CMPP7 Deserialization
- CVE-2026-38950HIGHESA AnomalyMatch Arbitrary Code Execution via Unsafe PyTorch Deserialization
- CVE-2026-39550HIGHAperitif Theme Remote Code Execution via Object Injection
- CVE-2026-39551HIGHTöbel Deserialization Remote Code Execution Vulnerability