CVE-2026-42342: React Router and Remix __manifest Denial of Service Vulnerability
React Router and Remix applications using Framework Mode are vulnerable to a denial-of-service attack via crafted requests that exploit unbounded path expansion in the __manifest endpoint. An unauthenticated attacker can send specially constructed requests that cause the server to consume excessive resources, slowing response times or rendering the application unavailable to legitimate users. This does not affect applications built with Declarative Mode or Data Mode routing patterns.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 7.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
- Weaknesses (CWE)
- CWE-400
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-02 / 2026-06-17
NVD description (verbatim)
React Router is a router for React. In versions 7.0.0 through 7.14.x of react-router and versions 2.10.0 through 2.17.4 of @remix-run/server-runtime, certain crafted requests can consume disproportionate server resources via unbounded path expansion in the __manifest endpoint, resulting in response time degradation and/or service unavailability for end users. This affects React Router Framework Mode applications as well as Remix applications. This does not impact applications using Declarative Mode (`<BrowserRouter>`) or Data Mode (`createBrowserRouter/<RouterProvider>`). This is patched in react-router version 7.15.0 and @remix-run/server-runtime version 2.17.5.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability stems from inadequate resource constraints on path expansion processing in the __manifest endpoint of React Router Framework Mode (versions 7.0.0–7.14.x) and @remix-run/server-runtime (versions 2.10.0–2.17.4). When an attacker sends requests with crafted path parameters, the server processes unbounded path expansion without proper limits, consuming CPU and memory resources disproportionately. The flaw manifests as CWE-400 (Uncontrolled Resource Consumption), allowing attackers to degrade service availability. Patched versions impose proper bounds on path expansion logic. Applications using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) are not affected because they do not utilize the vulnerable __manifest endpoint processing in the same manner.
Business impact
Availability impact is the primary concern. A successful attack can degrade application responsiveness or cause complete service outages, directly affecting end-user experience and business continuity. E-commerce, SaaS platforms, and content delivery applications relying on affected React Router or Remix deployments face revenue loss, reputational damage, and support overhead during an active attack. The attack requires no authentication or user interaction, making it accessible to opportunistic threat actors and increasing incident likelihood.
Affected systems
Affected: React Router versions 7.0.0 through 7.14.x; @remix-run/server-runtime versions 2.10.0 through 2.17.4. Only Framework Mode applications are vulnerable; Declarative Mode and Data Mode applications are unaffected. Organizations using these routing patterns in production should prioritize identification of affected instances. Verify your application's routing configuration and installed package versions in package.json and package-lock.json or yarn.lock files.
Exploitability
Exploitability is high. The attack vector is network-based, requires no authentication or privilege, and involves minimal complexity—a straightforward HTTP request with crafted path parameters. No user interaction is required. The CVSS 3.1 score of 7.5 reflects this accessibility. No active exploit code has been reported in the wild (KEV status: not included), but the technical barrier to weaponization is low, and the attack can be executed from any internet-connected host. Organizations should assume potential hostile interest as awareness spreads.
Remediation
Update react-router to version 7.15.0 or later and @remix-run/server-runtime to version 2.17.5 or later. Verify against the official Shopify/Remix advisories for complete patch notes and any post-update validation steps. For organizations unable to patch immediately, implement network-level rate limiting and request filtering on the __manifest endpoint to reduce blast radius, though this is not a substitute for patching. Applications already using Declarative or Data Mode routing require no changes.
Patch guidance
Apply patches to react-router (to 7.15.0+) and @remix-run/server-runtime (to 2.17.5+) in development and staging environments first to validate compatibility with your application dependencies and custom configurations. Check for any breaking changes in the patch release notes. Update both direct and transitive dependencies. After deployment to production, monitor application logs and performance metrics for anomalies. If your build system or CI/CD pipeline pins versions, ensure those constraints are updated to allow the patched versions.
Detection guidance
Monitor for HTTP requests targeting the __manifest endpoint with unusual path parameters or exceptionally long path strings. Alert on sudden increases in CPU or memory consumption correlated with specific request patterns. Implement request logging that captures full paths and sizes. Network intrusion detection systems should be tuned to flag repeated requests with suspicious path expansion payloads. Baseline your normal __manifest request patterns and deviation detection will help identify exploitation attempts before they cause service degradation.
Why prioritize this
Despite not being on the Known Exploited Vulnerabilities (KEV) list, this vulnerability merits immediate prioritization due to its high CVSS score (7.5), low attack complexity, unauthenticated access requirement, and direct impact on service availability. Any internet-facing React Router Framework Mode or Remix application is at immediate risk. The technical simplicity of exploitation and the broad attack surface (any unauthenticated user) elevate business risk regardless of KEV status.
Risk score, explained
The CVSS 3.1 score of 7.5 (HIGH) reflects a network-accessible denial-of-service vulnerability with no authentication or user interaction barriers. The vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H indicates: network attack vector, low attack complexity, no privileges or user interaction required, and high availability impact. While confidentiality and integrity are not compromised, the availability impact alone justifies the HIGH severity rating and warrants prompt remediation.
Frequently asked questions
Does this vulnerability affect our application if we use <BrowserRouter> or <RouterProvider>?
No. The vulnerability is specific to React Router Framework Mode applications. If your application uses Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>), you are not affected and no action is required.
What should we do if we cannot patch immediately?
Implement network-level rate limiting and access controls on the __manifest endpoint to reduce the blast radius of potential attacks. Monitor request logs and application performance closely. However, these mitigations are not a substitute for patching—prioritize testing and deploying the patched versions as soon as feasible.
How can we identify if our application is vulnerable?
Check your package.json or yarn.lock file for react-router versions 7.0.0–7.14.x or @remix-run/server-runtime versions 2.10.0–2.17.4. Confirm your application uses Framework Mode routing. If both conditions are met, your application is vulnerable and requires patching.
Is there public exploit code available?
The vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog, meaning active exploitation in the wild has not been widely reported. However, the technical barrier to creating an exploit is low, and organizations should not rely on the absence of public weaponization as a reason to delay patching.
This analysis is based on the published CVE record and vendor advisory as of the date of publication. Organizations should verify all patch versions, compatibility notes, and deployment procedures against official Shopify and Remix documentation. This explainer does not constitute a comprehensive risk assessment for your specific environment. Conduct internal testing and threat modeling to align remediation with your organization's risk tolerance and incident response procedures. SEC.co assumes no liability for decisions made based on this intelligence. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2024-14036HIGHDräger Core Denial of Service via Malformed SDC Messages
- CVE-2026-10069HIGHShibby Tomato miniupnpd Resource Exhaustion Vulnerability
- CVE-2026-35266HIGHOracle REST Data Services Authentication & Data Integrity Vulnerability
- CVE-2026-35277HIGHOracle REST Data Services Authorization Bypass
- CVE-2026-37234HIGHFlexRIC E42 Resource Leak via Multiple xapp_id Binding
- CVE-2019-25721MEDIUMDräger Infinity M300 Denial-of-Service Vulnerability – Network-Induced Device Reboots
- CVE-2019-25724MEDIUMDräger Infinity M300 Denial-of-Service Vulnerability Impact on Patient Monitoring
- CVE-2025-48648MEDIUMAndroid NotificationManagerService Resource Exhaustion DoS