Skip to content

Update dependency react-router to v7.15.1 [SECURITY]#298

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-react-router-vulnerability
Open

Update dependency react-router to v7.15.1 [SECURITY]#298
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-react-router-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Jun 4, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
react-router (source) 7.14.07.15.1 age confidence

React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE

CVE-2026-42211 / GHSA-49rj-9fvp-4h2h

More information

Details

When using React Router v7 in Framework Mode, there exists a combination of steps that could potentially allow unauthorized RCE through external requests. This first requires the application code to have an existing prototype pollution vulnerability. This can be leveraged into a 2-step attack in which the second step can trigger unauthorized RCE on the remote server.

[!NOTE]
This does not impact your React Router application if you are using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).

Severity

  • CVSS Score: 8.1 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

React Router's same-origin redirect with path starting // causes open redirect via protocol-relative URL reinterpretation

CVE-2026-40181 / GHSA-2j2x-hqr9-3h42

More information

Details

Certain URLs passed to the redirect function can trigger an open redirect to an external domain depending on the level of validation done by the application prior to returning the redirect.

[!NOTE]
This does not impact your React Router application if you are using Declarative Mode (<BrowserRouter>)

Severity

  • CVSS Score: 6.6 / 10 (Medium)
  • Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint

CVE-2026-42342 / GHSA-8x6r-g9mw-2r78

More information

Details

There exists a potential DOS attack vector in React Router Framework Mode applications (as well as Remix v2.10.0 - 2.17.4). Certain requests can be crafted to consume disproportionate resources on the server, resulting in response time degredation and/or service unavailability for end users.

[!NOTE]
This does not impact your React Router application if you are using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).

Severity

  • CVSS Score: 7.5 / 10 (High)
  • Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

React Router: Potential CSRF via PUT/PATCH/DELETE document requests

CVE-2026-53663 / GHSA-84g9-w2xq-vcv6

More information

Details

Certain CSRF checks in React Router v7 Framework Mode were insufficient and run on POST requests, but were bypassed on PUT/PATCH/DELETE requests. This is a low severity vulnerability because modern browser protections (CORS preflight, SameSite cookies) already block the cross-origin attack vectors that this missing CSRF check would otherwise gate.

[!NOTE]
This does not impact your React Router application if you are using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).

Severity

  • CVSS Score: 3.1 / 10 (Low)
  • Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Release Notes

remix-run/react-router (react-router)

v7.15.1

Compare Source

Patch Changes
  • Update router to operate on fetcher Maps in an immutable manner to avoid delayed React renders from potentially reading an updated but not yet committed Map. This could result in brief flickers in some fetcher-driven optimistic UI scenarios. (#​15028)
  • Fix serverLoader() returning stale SSR data when a client navigation aborts pending hydration before the hydration clientLoader resolves (#​15022)
  • Fix RouterProvider onError callback not being called for synchronous initial loader errors in SPA mode (#​15039) (#​14942)
  • Memoize useFetchers to return a stable identity and only change if fetchers changed (#​15028)
  • Internal refactor to consolidate mutation request detection through shared utility (#​15033)
Unstable Changes

⚠️ Unstable features are not recommended for production use

  • Add a new unstable_useRouterState() hook that consolidates access to active and pending router states (RFC: #​12358) (#​15017)

    • Data/Framework/RSC only — throws when used without a data router

    • This should allow you to consolidate usages of the following hooks which will likely be deprecated and removed in a future major version

      • useLocation
      • useSearchParams
      • useParams
      • useMatches
      • useNavigationType
      • useNavigation
      let { active, pending } = unstable_useRouterState();

// Active is always populated with the current location
active.location; // replaces `useLocation()`
active.searchParams; // replaces `useSearchParams()[0]`
active.params; // replaces `useParams()`
active.matches; // replaces `useMatches()`
active.type; // replaces `useNavigationType()`

// Pending is only populated during a navigation
pending.location; // replaces `useNavigation().location`
pending.searchParams; // equivalent to `new URLSearchParams(useNavigation().search)`
pending.params; // Not directly accessible today
pending.matches; // Not directly accessible today
pending.type; // Not directly accessible today
pending.state; // replaces `useNavigation().state`
pending.formMethod; // replaces useNavigation().formMethod
pending.formAction; // replaces useNavigation().formAction
pending.formEncType; // replaces useNavigation().formEncType
pending.formData; // replaces useNavigation().formData
pending.json; // replaces useNavigation().json
pending.text; // replaces useNavigation().text

v7.15.0

Compare Source

Minor Changes

  • Stabilize unstable_defaultShouldRevalidate as defaultShouldRevalidate on <Link>, <Form>, useLinkClickHandler, useSubmit, fetcher.submit, and setSearchParams (a993f09)

    • ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly

  • Stabilize the instrumentation APIs. unstable_instrumentations is now instrumentations and unstable_pattern is now pattern (a993f09)

    • The unstable_ServerInstrumentation, unstable_ClientInstrumentation, unstable_InstrumentRequestHandlerFunction, unstable_InstrumentRouterFunction, unstable_InstrumentRouteFunction, and unstable_InstrumentationHandlerResult types have had their unstable_ prefixes removed
    • ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly

  • Stabilize unstable_mask as mask on <Link>, useLinkClickHandler, and useNavigate, and rename the corresponding Location.unstable_mask field to Location.mask (a993f09)

    • ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly

  • Stabilize the unstable_normalizePath option on staticHandler.query and staticHandler.queryRoute as normalizePath (a993f09)

    • ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly

  • Stabilize future.unstable_passThroughRequests as future.v8_passThroughRequests (a993f09)

    • ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly

  • Remove unstable_subResourceIntegrity from the runtime FutureConfig type; the flag is now controlled by the top-level subResourceIntegrity option in react-router.config.ts (a993f09)

    • ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly

  • Stabilize unstable_url as url on loader, action, and middleware function args (a993f09)

    • ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly

  • Stabilize unstable_useTransitions as useTransitions on <BrowserRouter>, <HashRouter>, <HistoryRouter>, <MemoryRouter>, <Router>, <RouterProvider>, <HydratedRouter>, and useLinkClickHandler (a993f09)

    • ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly
Patch Changes

  • Add nonce to <Scripts> <link rel="modulepreload"> elements (if provided) (af5d49b)

  • Fix a bug with unstable_defaultShouldRevalidate={false} where parent routes that did not export a shouldRevalidate function could be incorrectly included in the single fetch call for new child route data (#​15012)

  • Improve server-side route matching performance by pre-computing flattened/cached route branches (#​14967) (af5d49b)

    • Performance benchmarks showed roughly a 10-15% improvement in server-side request handling performance

  • Mark mask as an optional field in Location for easier mocking in unit tests (#​14999)

  • Cache flattened/ranked route branches to optimize server-side route matching (#​14967)

  • Improve route matching performance in Framework/Data Mode (#​14971) (af5d49b)

    • Avoiding unnecessary calls to matchRoutes in data router scenarios
      • This includes adding back the optimization that was removed in 7.6.0 (#​13562)
      • The issues that prompted the revert have been addressed by using the available router matches but always updating match.route to the latest route in the manifest
    • Leverage pre-computed pre-computing flattened/cached route branches during client side route matching
    • Performance benchmarks showed roughly a 15-30% improvement in server-side request handling performance

v7.14.2

Compare Source

Patch Changes

  • Remove the un-documented custom error serialization logic from the internal turbo-stream implementation. React Router only automatically handles serialization of Error and it's standard subtypes (SyntaxError, TypeError, etc.). ([aabf4a1)

  • Properly handle parent middleware redirects during fetcher.load ([aabf4a1)

  • Remove redundant Omit<RouterProviderProps, "flushSync"> from react-router/dom RouterProvider ([aabf4a1)

  • Improved types for generatePath's param arg ([aabf4a1)

    Type errors when required params are omitted:

    // Before
// Passes type checks, but throws at runtime 💥
generatePath(":required", { required: null });

// After
generatePath(":required", { required: null });
//                          ^^^^^^^^ Type 'null' is not assignable to type 'string'.ts(2322)

    Allow omission of optional params:

    // Before
generatePath(":optional?", {});
//                         ^^ Property 'optional' is missing in type '{}' but required in type '{ optional: string | null | undefined; }'.ts(2741)

// After
generatePath(":optional?", {});

    Allows extra keys:

    // Before
generatePath(":a", { a: "1", b: "2" });
//                           ^ Object literal may only specify known properties, and 'b' does not exist in type '{ a: string; }'.ts(2353)

// After
generatePath(":a", { a: "1", b: "2" });

v7.14.1

Compare Source

Patch Changes
  • Fix a potential race condition that can occur when rendering a HydrateFallback and initial loaders land before the router.subscribe call happens in the RouterProvider layout effect
  • Normalize double-slashes in redirect paths

Configuration

📅 Schedule: (in timezone Asia/Tokyo)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot requested a review from a team as a code owner June 4, 2026 05:30
@renovate renovate Bot added the dependencies Pull requests that update a dependency file label Jun 4, 2026
@renovate renovate Bot force-pushed the renovate/npm-react-router-vulnerability branch from 0131172 to 8c8fcd2 Compare June 17, 2026 02:16
@renovate renovate Bot changed the title Update dependency react-router to v7.15.0 [SECURITY] Update dependency react-router to v7.15.1 [SECURITY] Jun 17, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@sankichi92 Takahiro Miyoshi (sankichi92) Awaiting requested review from sankichi92

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants