Vulnerability-Lookup

GHSA-8X6R-G9MW-2R78

Vulnerability from github – Published: 2026-06-03 21:05 – Updated: 2026-06-03 21:05

Summary

React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint

Details

There exists a potential DOS attack vector in React Router Framework Mode applications (as well as Remix v2.10.0 - 2.17.4). Certain requests can be crafted to consume disproportionate resources on the server, resulting in response time degredation and/or service unavailability for end users.

[!NOTE] This does not impact your React Router application if you are using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).

Severity

7.5 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "react-router"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "7.0.0"
            },
            {
              "fixed": "7.15.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@remix-run/server-runtime"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "2.10.0"
            },
            {
              "fixed": "2.17.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-42342"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-400"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-03T21:05:17Z",
    "nvd_published_at": "2026-06-02T20:16:36Z",
    "severity": "HIGH"
  },
  "details": "There exists a potential DOS attack vector in React Router Framework Mode applications (as well as Remix v2.10.0 - 2.17.4).  Certain requests can be crafted to consume disproportionate resources on the server, resulting in response time degredation and/or service unavailability for end users.\n\n\u003e [!NOTE]\n\u003e This does not impact your React Router application if you are using [Declarative Mode](https://reactrouter.com/start/modes#declarative) (`\u003cBrowserRouter\u003e`) or [Data Mode](https://reactrouter.com/start/modes#data) (`createBrowserRouter`/`\u003cRouterProvider\u003e`).",
  "id": "GHSA-8x6r-g9mw-2r78",
  "modified": "2026-06-03T21:05:17Z",
  "published": "2026-06-03T21:05:17Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/remix-run/react-router/security/advisories/GHSA-8x6r-g9mw-2r78"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42342"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/remix-run/react-router"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint"
}

CVE-2026-42342 (GCVE-0-2026-42342)

Vulnerability from cvelistv5 – Published: 2026-06-02 18:23 – Updated: 2026-06-03 13:52

Title

React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint

Summary

React Router is a router for React. In versions 7.0.0 through 7.14.x of react-router and versions 2.10.0 through 2.17.4 of @remix-run/server-runtime, certain crafted requests can consume disproportionate server resources via unbounded path expansion in the __manifest endpoint, resulting in response time degradation and/or service unavailability for end users. This affects React Router Framework Mode applications as well as Remix applications. This does not impact applications using Declarative Mode (`<BrowserRouter>`) or Data Mode (`createBrowserRouter/<RouterProvider>`). This is patched in react-router version 7.15.0 and @remix-run/server-runtime version 2.17.5.

Severity

7.5 (High)


                        
                          CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

SSVC

Exploitation: none Automatable: yes Technical Impact: partial

CISA Coordinator (v2.0.3)

CWE

CWE-400 - Uncontrolled Resource Consumption

Assigner

GitHub_M

References

1 reference

URL	Tags
https://github.com/remix-run/react-router/securit…	x_refsource_CONFIRM

Impacted products

2 products

Vendor	Product	Version
remix-run	react-router	Affected: >= 7.0.0, < 7.15.0
remix-run	@remix-run/server-runtime	Affected: >= 2.10.0, < 2.17.5

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-42342",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-03T13:52:31.015400Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-03T13:52:43.400Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "react-router",
          "vendor": "remix-run",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 7.0.0, \u003c 7.15.0"
            }
          ]
        },
        {
          "product": "@remix-run/server-runtime",
          "vendor": "remix-run",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= 2.10.0, \u003c 2.17.5"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "React Router is a router for React. In versions 7.0.0 through 7.14.x of react-router and versions 2.10.0 through 2.17.4 of @remix-run/server-runtime, certain crafted requests can consume disproportionate server resources via unbounded path expansion in the __manifest endpoint, resulting in response time degradation and/or service unavailability for end users. This affects React Router Framework Mode applications as well as Remix applications. This does not impact applications using Declarative Mode (`\u003cBrowserRouter\u003e`) or Data Mode (`createBrowserRouter/\u003cRouterProvider\u003e`). This is patched in react-router version 7.15.0 and @remix-run/server-runtime version 2.17.5."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "HIGH",
            "baseScore": 7.5,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "NONE",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-400",
              "description": "CWE-400: Uncontrolled Resource Consumption",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-02T18:23:02.765Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/remix-run/react-router/security/advisories/GHSA-8x6r-g9mw-2r78",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/remix-run/react-router/security/advisories/GHSA-8x6r-g9mw-2r78"
        }
      ],
      "source": {
        "advisory": "GHSA-8x6r-g9mw-2r78",
        "discovery": "UNKNOWN"
      },
      "title": "React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-42342",
    "datePublished": "2026-06-02T18:23:02.765Z",
    "dateReserved": "2026-04-26T13:26:14.514Z",
    "dateUpdated": "2026-06-03T13:52:43.400Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-8X6R-G9MW-2R78

CVE-2026-42342 (GCVE-0-2026-42342)

Tags

Sightings

Nomenclature