CVE-2026-42211: Remote Code Execution via Insecure Deserialization in React Router Framework Mode
Vulnerability ID: CVE-2026-42211
CVSS Score: 8.1
Published: 2026-06-03
A critical vulnerability exists in React Router v7 when running in Framework Mode. The vulnerability arises from insecure deserialization of TYPE_ERROR objects in the internal turbo-stream library, which resolves constructors from the global scope. If an application contains an independent prototype pollution vulnerability, an attacker can trigger unauthenticated Remote Code Execution (RCE) on the server.
TL;DR
An insecure deserialization vulnerability in React Router Framework Mode allows unauthenticated Remote Code Execution (RCE) when chained with prototype pollution.
Technical Details
- CWE ID: CWE-502
- Attack Vector: Network
- CVSS Score: 8.1
- EPSS Score: 0.00252
- Exploit Status: poc
- KEV Status: Not Listed
Affected Systems
- React Router v7 applications deployed in Framework Mode
-
react-router: >= 7.0.0, < 7.14.2 (Fixed in:
7.14.2)
Code Analysis
Commit: 3d70cdd
Remove the un-documented custom error serialization logic from the internal turbo-stream implementation.
Mitigation Strategies
- Upgrade react-router to version 7.14.2 or later
- Launch Node.js with prototype mutation protections disabled (--disable-proto=throw)
- Implement strict input validation on JSON/query payloads to prevent prototype pollution
Remediation Steps:
- Identify any react-router installations in your package.json mapping to versions >= 7.0.0 and < 7.14.2
- Execute the appropriate package manager command to update (e.g., npm install react-router@latest)
- Optionally add the --disable-proto=throw flag to the Node.js startup command in production environments
References
Read the full report for CVE-2026-42211 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)