๐Ÿ” CVE Alert

CVE-2025-59057

HIGH 7.6

React Router has XSS Vulnerability

CVSS Score
7.6
EPSS Score
0.0%
EPSS Percentile
0th

React Router is a router for React. In @remix-run/react versions 1.15.0 through 2.17.0. and react-router versions 7.0.0 through 7.8.2, a XSS vulnerability exists in in React Router's meta()/<Meta> APIs in Framework Mode when generating script:ld+json tags which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the tag. There is no impact if the application is being used in Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>). This issue has been patched in @remix-run/react version 2.17.1 and react-router version 7.9.0.

CWE CWE-79
Vendor remix-run
Product react-router
Published Jan 10, 2026
Last Updated Jun 30, 2026
Stay Ahead of the Next One

Get instant alerts for remix-run react-router

Be the first to know when new high vulnerabilities affecting remix-run react-router are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
Required
Scope
Changed
Confidentiality
High
Integrity
Low
Availability
None

Affected Versions

remix-run / react-router
@remix-run/react >= 1.15.0, < 2.17.1 react-router >= 7.0.0, < 7.9.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/remix-run/react-router/security/advisories/GHSA-3cgp-3xvw-98x8 access.redhat.com: https://access.redhat.com/security/cve/CVE-2025-59057 bugzilla.redhat.com: https://bugzilla.redhat.com/show_bug.cgi?id=2428426 security.access.redhat.com: https://security.access.redhat.com/data/csaf/v2/vex/2025/cve-2025-59057.json access.redhat.com: https://access.redhat.com/errata/RHSA-2026:3958 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:3960 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:3782 access.redhat.com: https://access.redhat.com/errata/RHSA-2026:19712