org.webjars.npm:react-router 7.5.2

Direct Vulnerabilities

Known vulnerabilities in the org.webjars.npm:react-router package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Cross-site Scripting (XSS) Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the navigation redirect process for loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes. An attacker can execute arbitrary JavaScript code in the context of the user's browser by supplying a crafted URL that is used as a redirect target. Note: This issue does not impact applications using Declarative Mode `<BrowserRouter>`. How to fix Cross-site Scripting (XSS)? Upgrade `org.webjars.npm:react-router` to version 7.12.0 or higher.	[7.0.0,7.12.0)
M Cross-site Request Forgery (CSRF) Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) due to the improper origin checks of UI route submissions in server-side route `action` handlers in Framework Mode. An attacker can execute unauthorized actions by tricking a user into submitting a crafted POST request to a UI route. Note: This issue does not impact applications using Declarative Mode `<BrowserRouter>` or Data Mode `createBrowserRouter/<RouterProvider>`. How to fix Cross-site Request Forgery (CSRF)? Upgrade `org.webjars.npm:react-router` to version 7.12.0 or higher.	[7.0.0,7.12.0)
M Cross-site Scripting (XSS) Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the ScrollRestoration API when using the `getKey` or `storageKey` props during server-side rendering in Framework Mode. An attacker can execute arbitrary JavaScript code by supplying untrusted content to generate the keys. This is only exploitable if server-side rendering is enabled in Framework Mode and untrusted input is used for key generation. Note: This issue does not impact applications using Declarative Mode `<BrowserRouter>` or Data Mode `createBrowserRouter/<RouterProvider>` and server-side rendering in Framework Mode is disabled. How to fix Cross-site Scripting (XSS)? Upgrade `org.webjars.npm:react-router` to version 7.12.0 or higher.	[7.0.0,7.12.0)
M Cross-site Scripting (XSS) Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the Meta API in Framework Mode when generating `script:ld+json` tags during server-side rendering with untrusted content. An attacker can execute arbitrary JavaScript code by injecting malicious input into the metadata generation process. Note: This issue does not impact applications using Declarative Mode `<BrowserRouter>` or Data Mode `createBrowserRouter/<RouterProvider>`. How to fix Cross-site Scripting (XSS)? Upgrade `org.webjars.npm:react-router` to version 7.9.0 or higher.	[7.0.0,7.9.0)
H Open Redirect Affected versions of this package are vulnerable to Open Redirect via the `resolvePath()` function when used with `navigate`, `<Link>`, or `redirect`. An attacker can cause the application to redirect users to external, potentially malicious URLs by supplying crafted paths. Note: This is only exploitable if untrusted content is passed into navigation paths in the application code. How to fix Open Redirect? Upgrade `org.webjars.npm:react-router` to version 6.30.2, 7.9.6 or higher.	[,6.30.2)[7.0.0,7.9.6)

Vulnerability

Vulnerable Version

Cross-site Scripting (XSS)

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the navigation redirect process for loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes. An attacker can execute arbitrary JavaScript code in the context of the user's browser by supplying a crafted URL that is used as a redirect target.

Note:

This issue does not impact applications using Declarative Mode <BrowserRouter>.

How to fix Cross-site Scripting (XSS)?

Upgrade org.webjars.npm:react-router to version 7.12.0 or higher.

[7.0.0,7.12.0)

Cross-site Request Forgery (CSRF)

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) due to the improper origin checks of UI route submissions in server-side route action handlers in Framework Mode. An attacker can execute unauthorized actions by tricking a user into submitting a crafted POST request to a UI route.

Note:

This issue does not impact applications using Declarative Mode <BrowserRouter> or Data Mode createBrowserRouter/<RouterProvider>.

How to fix Cross-site Request Forgery (CSRF)?

Upgrade org.webjars.npm:react-router to version 7.12.0 or higher.

[7.0.0,7.12.0)

Cross-site Scripting (XSS)

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the ScrollRestoration API when using the getKey or storageKey props during server-side rendering in Framework Mode. An attacker can execute arbitrary JavaScript code by supplying untrusted content to generate the keys. This is only exploitable if server-side rendering is enabled in Framework Mode and untrusted input is used for key generation.

Note:

This issue does not impact applications using Declarative Mode <BrowserRouter> or Data Mode createBrowserRouter/<RouterProvider> and server-side rendering in Framework Mode is disabled.

How to fix Cross-site Scripting (XSS)?

Upgrade org.webjars.npm:react-router to version 7.12.0 or higher.

[7.0.0,7.12.0)

Cross-site Scripting (XSS)

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the Meta API in Framework Mode when generating script:ld+json tags during server-side rendering with untrusted content. An attacker can execute arbitrary JavaScript code by injecting malicious input into the metadata generation process.

Note:

This issue does not impact applications using Declarative Mode <BrowserRouter> or Data Mode createBrowserRouter/<RouterProvider>.

How to fix Cross-site Scripting (XSS)?

Upgrade org.webjars.npm:react-router to version 7.9.0 or higher.

[7.0.0,7.9.0)

Open Redirect

Affected versions of this package are vulnerable to Open Redirect via the resolvePath() function when used with navigate, <Link>, or redirect. An attacker can cause the application to redirect users to external, potentially malicious URLs by supplying crafted paths.

Note:

This is only exploitable if untrusted content is passed into navigation paths in the application code.

How to fix Open Redirect?

Upgrade org.webjars.npm:react-router to version 6.30.2, 7.9.6 or higher.

[,6.30.2)[7.0.0,7.9.6)

org.webjars.npm:react-router@7.5.2

latest version

latest non vulnerable version

first published

latest version published

licenses detected

package registry

Direct Vulnerabilities

Fix vulnerabilities automatically