Two critical vulnerabilities have been disclosed in React Router, the standard routing library for React applications used by millions of projects, tracked as CVE-2026-42211 (CVSS 9.8 Critical) and CVE-2026-42342 (CVSS 7.5 High). CVE-2026-42211 enables remote code execution in Framework Mode, and CVE-2026-42342 allows server-side request forgery.
What Are the Vulnerabilities?
CVE-2026-42211 — Remote Code Execution in Framework Mode (CVSS 9.8 Critical): When using React Router in Framework Mode (versions 7.0.0 through 7.14.1), a combination of steps could allow unauthorised remote code execution. Framework Mode is the full-stack deployment mode where React Router handles both client-side routing and server-side rendering — an RCE in this context means server compromise.
CVE-2026-42342 — Server-Side Request Forgery (CVSS 7.5 High): In react-router versions 7.0.0 through 7.14.x and @remix-run/server-runtime versions 2.10.0 through 2.17.4, certain crafted requests can cause the server to make requests to unintended internal endpoints, enabling SSRF attacks against internal network resources.
Which Versions Are Affected?
- react-router 7.0.0 through 7.14.1 (CVE-2026-42211)
- react-router 7.0.0 through 7.14.x (CVE-2026-42342)
- @remix-run/server-runtime 2.10.0 through 2.17.4 (CVE-2026-42342)
What Is the Fix?
Update react-router to version 7.15.0 or later (or the patched 7.14.x release). Update @remix-run/server-runtime to version 2.18.0 or later.
Recommendations
Update React Router immediately in all projects using Framework Mode. The RCE vulnerability (CVSS 9.8) affects server-side rendering deployments. Audit all React applications for react-router and @remix-run/server-runtime dependencies and update them.
References
This advisory is covered in the broader Vulnerability Intelligence Report — June 4, 2026.
