DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-42342: CVE-2026-42342: Uncontrolled Resource Consumption and Denial of Service in React Router and Remix

#security #cve #cybersecurity

CVE-2026-42342: Uncontrolled Resource Consumption and Denial of Service in React Router and Remix

Vulnerability ID: CVE-2026-42342
CVSS Score: 7.5
Published: 2026-06-03

An Uncontrolled Resource Consumption vulnerability (CWE-400) affects React Router in Framework Mode and Remix server runtimes. A remote, unauthenticated attacker can trigger unbounded recursive path expansion in the manifest resolution component, leading to 100% CPU exhaustion and complete Denial of Service. The vulnerability arises because the server does not enforce depth limits when parsing deeply nested path segments in requests directed to the dynamic manifest evaluation endpoints. This blocks the single-threaded Node.js event loop, preventing the processing of subsequent client requests. The issue is resolved in react-router v7.15.0 and @remix-run/server-runtime v2.17.5. Applications using React Router in client-side-only Declarative or Data modes are unaffected.

TL;DR

A high-severity Denial of Service vulnerability in React Router (v7 Framework Mode) and Remix (v2) allows unauthenticated remote attackers to exhaust server resources and freeze the Node.js event loop via unbounded path expansion requests to the manifest resolution engine. Upgrade to react-router v7.15.0 or @remix-run/server-runtime v2.17.5 to resolve.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-400
  • Attack Vector: Network (AV:N)
  • CVSS Score: 7.5
  • EPSS Score: 0.00051 (16.30% percentile)
  • Exploit Status: Theoretical / Proof of Concept Only
  • CISA KEV Status: Not Listed
  • Impact: Denial of Service (DoS) via CPU Exhaustion

Affected Systems

  • React Router Framework Mode applications
  • Remix server-side web applications
  • react-router: >= 7.0.0, < 7.15.0 (Fixed in: 7.15.0)
  • @remix-run/server-runtime: >= 2.10.0, < 2.17.5 (Fixed in: 2.17.5)

Mitigation Strategies

  • Upgrade react-router to version 7.15.0 or higher
  • Upgrade @remix-run/server-runtime to version 2.17.5 or higher
  • Configure reverse proxy or WAF block lists based on request path segment count and length

Remediation Steps:

  1. Identify vulnerable packages using npm list react-router or yarn licenses list.
  2. Update dependencies in package.json to the fixed versions (react-router 7.15.0 or remix-run 2.17.5).
  3. Run npm install or yarn install to update package-lock.json or yarn.lock.
  4. Implement Nginx URI character limits or path-depth boundaries for temporary protection.

References

Read the full report for CVE-2026-42342 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)