Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN589 _____________________________________________________________________ DATE : 04/06/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running react-router (npm) versions prior to 7.15.0, @remix-run/server-runtime (npm) versions prior to 2.17.5, turbo-stream (npm) versions prior to 3.0.0. ===================================================================== https://github.com/remix-run/react-router/security/advisories/GHSA-49rj-9fvp-4h2h https://github.com/remix-run/react-router/security/advisories/GHSA-2j2x-hqr9-3h42 https://github.com/remix-run/react-router/security/advisories/GHSA-8646-j5j9-6r62 https://github.com/remix-run/react-router/security/advisories/GHSA-f22v-gfqf-p8f3 https://github.com/remix-run/react-router/security/advisories/GHSA-rxv8-25v2-qmq8 https://github.com/remix-run/react-router/security/advisories/GHSA-8x6r-g9mw-2r78 _____________________________________________________________________ Potential RCE via 2-step attack chained onto existing prototype pollution vulnerability High brophdawg11 published GHSA-49rj-9fvp-4h2h Jun 2, 2026 Package react-router (npm) Affected versions >= 7.0.0,<= 7.14.1 Patched versions >=7.14.2 Description When using React Router v7 in Framework Mode, there exists a combination of steps that could potentially allow unauthorized RCE through external requests. This first requires the application code to have an existing prototype pollution vulnerability. This can be leveraged into a 2-step attack in which the second step can trigger unauthorized RCE on the remote server. Note This does not impact your React Router application if you are using Declarative Mode () or Data Mode (createBrowserRouter/). Severity High 8.1/ 10 CVSS v3 base metrics Attack vector Network Attack complexity High Privileges required None User interaction None Scope Unchanged Confidentiality High Integrity High Availability High CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE ID CVE-2026-42211 Weaknesses Weakness CWE-502 Credits @SM41ldRag0n SM41ldRag0n Reporter _____________________________________________________________________ Same-origin redirect with path starting // causes open redirect via protocol-relative URL reinterpretation Moderate brophdawg11 published GHSA-2j2x-hqr9-3h42 Jun 2, 2026 Package react-router (npm) Affected versions >=7.0.0,<7.14.1 >=6.7.0,<6.30.4 Patched versions >=7.14.1 >=6.30.4 Description Certain URLs passed to the redirect function can trigger an open redirect to an external domain depending on the level of validation done by the application prior to returning the redirect. Note This does not impact your React Router application if you are using Declarative Mode () Severity Moderate CVE ID CVE-2026-40181 Weaknesses No CWEs _____________________________________________________________________ XSS in unstable RSC redirect handling via javascript: redirect targets High brophdawg11 published GHSA-8646-j5j9-6r62 Jun 2, 2026 Package react-router Affected versions >=7.7.0,<7.13.2 Patched versions >=7.13.2 Description When using React Router v7's unstable RSC APIs, there exists a potential client-side XSS issue in the RSC redirect handling if redirects are coming from untrusted sources Note This only impacts your application if you are using the unstable RSC APIs in React Router. Severity High 8.0/ 10 CVSS v3 base metrics Attack vector Network Attack complexity High Privileges required None User interaction Required Scope Changed Confidentiality High Integrity High Availability None CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N CVE ID CVE-2026-33245 Weaknesses Weakness CWE-79 Credits @x4cc3 x4cc3 Reporter _____________________________________________________________________ Stored XSS via unescaped Location header in prerendered redirect HTML Moderate brophdawg11 published GHSA-f22v-gfqf-p8f3 Jun 2, 2026 Package react-router (npm) Affected versions >=7.5.1,<7.13.2 Patched versions >=7.13.2 Description When using React Router v7 Framework Mode with Pre-rendering enabled, an improper neutralization of the HTTP Location header value can permit Cross-Site Scripting (XSS) in statically generated HTML files if the redirect location comes from an untrusted source. Note This does not impact your React Router application if you are using Declarative Mode () or Data Mode (createBrowserRouter/). Severity Moderate 5.4/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required Low User interaction Required Scope Changed Confidentiality Low Integrity Low Availability None CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVE ID CVE-2026-33244 Weaknesses Weakness CWE-79 Credits @yuito-it yuito-it Reporter _____________________________________________________________________ Denial of Service via reflected user input in single-fetch High brophdawg11 published GHSA-rxv8-25v2-qmq8 Jun 2, 2026 Package react-router (npm) Affected versions >=7.0.0,<7.14.0 Patched versions >=7.14.0 turbo-stream (npm) Affected versions <=2.4.1 >=3.0.0 Description A DoS vulnerability exists in the React Router v7 Framework Mode, as well as Remix v2.9.0+ with Single Fetch enabled. In some scenarios the underlying serialization algorithm can become a bottleneck when encoding specific types of data into server responses. Please upgrade to React Router v7.14.0 or later. Note This does not impact your React Router application if you are using Declarative Mode () or Data Mode (createBrowserRouter/). Severity High 7.5/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required None User interaction None Scope Unchanged Confidentiality None Integrity None Availability High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE ID CVE-2026-34077 Weaknesses No CWEs Credits @Oceandust Oceandust Reporter _____________________________________________________________________ DoS via unbounded path expansion in __manifest endpoint High brophdawg11 published GHSA-8x6r-g9mw-2r78 Jun 2, 2026 Package @remix-run/server-runtime (npm) Affected versions >=2.10.0,<2.17.5 Patched versions >=2.17.5 react-router (npm) >=7.0.0,<7.15.0 >=7.15.0 Description There exists a potential DOS attack vector in React Router Framework Mode applications (as well as Remix v2.10.0 - 2.17.4). Certain requests can be crafted to consume disproportionate resources on the server, resulting in response time degredation and/or service unavailability for end users. Note This does not impact your React Router application if you are using Declarative Mode () or Data Mode (createBrowserRouter/). Severity High 7.5/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required None User interaction None Scope Unchanged Confidentiality None Integrity None Availability High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE ID CVE-2026-42342 Weaknesses Weakness CWE-400 Credits @adrgs adrgs Reporter @aisafe-bot aisafe-bot Finder ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================