CVE

GHSA-3cgp-3xvw-98x8

React Router has XSS Vulnerability

CVE

GHSA-3cgp-3xvw-98x8

React Router has XSS Vulnerability

A XSS vulnerability exists in in React Router's meta()/<Meta> APIs in Framework Mode when generating script:ld+json tags which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the tag.

[!NOTE]
This does not impact applications using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).

Package Versions Affected

No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading

Detect compatible fix

Apply safe remediation

Fix with a single pull request

CVSS Version

7.6

3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

7.6

3.1

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

Related Resources

No items found.

References

https://github.com/remix-run/react-router/security/advisories/GHSA-3cgp-3xvw-98x8, https://nvd.nist.gov/vuln/detail/CVE-2025-59057, https://github.com/remix-run/react-router

Severity

7.6

CVSS Score

Basic Information

Ecosystem

Base CVSS

7.6

EPSS Probability

0.00037%

EPSS Percentile

0.1074%

Introduced Version

7.0.0,1.15.0,2.0.0-pre.0,0.0.0-experimental-01e349e01,1.15.0-pre.0,0.0.0-experimental-8d8ac4a52,7.7.0-pre.0,0.0.0-nightly-015f47ae3-20250807,0.0.0-experimental-14dc7c1,7.0.0-pre.6,0.0.0-experimental-004e483a8,7.0.0-pre.3,0.0.0-experimental-9f7fdccd4,7.0.0-pre.0,0.0.0-experimental-07f9b5e04

Fix Available

7.9.0,2.17.1,7.9.0-pre.1,0.0.0-nightly-2d83c217d-20250913,0.0.0-experimental-4cf5bd08c

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.

Fix Without Upgrading

Get a Demo

Let's Patch It!

GHSA-3cgp-3xvw-98x8