DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-34077: CVE-2026-34077: Denial of Service and Unsafe Deserialization in React Router Single Fetch

#security #cve #cybersecurity

CVE-2026-34077: Denial of Service and Unsafe Deserialization in React Router Single Fetch

Vulnerability ID: CVE-2026-34077
CVSS Score: 7.5
Published: 2026-06-04

React Router and the underlying turbo-stream vendor library contain a vulnerability allowing remote unauthenticated attackers to trigger a Denial of Service (DoS) or potentially client-side Cross-Site Scripting (XSS) due to unsafe dynamic deserialization of streaming error payloads.

TL;DR

A dynamic object instantiation flaw in turbo-stream allows unauthenticated remote attackers to crash React Router or Remix applications via crafted payloads that instantiate non-constructor objects or cause out-of-memory errors.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-770
  • Attack Vector: Network
  • CVSS Score: 7.5
  • EPSS Score: 0.0004 (12.33 percentile)
  • Impact: Denial of Service (DoS) / Process Crash
  • Exploit Status: Proof-of-Concept / Theoretical
  • CISA KEV Status: Not Listed

Affected Systems

  • react-router
  • turbo-stream
  • Remix
  • react-router: >= 7.0.0, < 7.14.0 (Fixed in: 7.14.0)
  • react-router (RSC context): >= 7.7.0, < 7.13.2 (Fixed in: 7.13.2)
  • turbo-stream: < 3.0.0 (Fixed in: 3.0.0)

Code Analysis

Commit: 5981192

Fix dynamic error serialization in turbo-stream by strictly instantiating standard Error objects and stripping the error constructor dynamic lookup

case TYPE_ERROR:
-  const [, message, errorType] = value;
-  let error =
-    errorType && globalObj && globalObj[errorType]
-      ? new globalObj[errorType](message)
-      : new Error(message);
+  const [, message] = value;
+  let error = new Error(message);
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Upgrade react-router to version 7.14.0 or above
  • Ensure nested dependency turbo-stream is resolved to 3.0.0 or above
  • Employ rate limiting on single-fetch and RSC streaming routes
  • Filter incoming HTTP streams for suspicious or unverified error names

Remediation Steps:

  1. Open your application's package.json file
  2. Update the 'react-router' dependency to '^7.14.0' or the respective patched version
  3. Execute your package manager's update command (e.g., 'npm update react-router' or 'yarn upgrade react-router')
  4. Verify the resolution of 'turbo-stream' to version '^3.0.0' or higher within your package lockfile
  5. Deploy the updated application to staging, validating that streaming endpoints resolve correctly without exceptions
  6. Roll out the patched build to production environments

References

Read the full report for CVE-2026-34077 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)