react-router 7.12.0-pre.0 vulnerabilities

Direct Vulnerabilities

Known vulnerabilities in the react-router package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
H Cross-site Scripting (XSS) Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the navigation redirect process for loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes. An attacker can execute arbitrary JavaScript code in the context of the user's browser by supplying a crafted URL that is used as a redirect target. Note: This issue does not impact applications using Declarative Mode `<BrowserRouter>`. How to fix Cross-site Scripting (XSS)? Upgrade `react-router` to version 7.12.0 or higher.	>=7.0.0 <7.12.0
M Cross-site Request Forgery (CSRF) Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) due to the improper origin checks of UI route submissions in server-side route `action` handlers in Framework Mode. An attacker can execute unauthorized actions by tricking a user into submitting a crafted POST request to a UI route. Note: This issue does not impact applications using Declarative Mode `<BrowserRouter>` or Data Mode `createBrowserRouter/<RouterProvider>`. How to fix Cross-site Request Forgery (CSRF)? Upgrade `react-router` to version 7.12.0 or higher.	>=7.0.0 <7.12.0
M Cross-site Scripting (XSS) Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the ScrollRestoration API when using the `getKey` or `storageKey` props during server-side rendering in Framework Mode. An attacker can execute arbitrary JavaScript code by supplying untrusted content to generate the keys. This is only exploitable if server-side rendering is enabled in Framework Mode and untrusted input is used for key generation. Note: This issue does not impact applications using Declarative Mode `<BrowserRouter>` or Data Mode `createBrowserRouter/<RouterProvider>` and server-side rendering in Framework Mode is disabled. How to fix Cross-site Scripting (XSS)? Upgrade `react-router` to version 7.12.0 or higher.	>=7.0.0 <7.12.0

Vulnerability

Vulnerable Version

Cross-site Scripting (XSS)

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in the navigation redirect process for loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes. An attacker can execute arbitrary JavaScript code in the context of the user's browser by supplying a crafted URL that is used as a redirect target.

Note:

This issue does not impact applications using Declarative Mode <BrowserRouter>.

How to fix Cross-site Scripting (XSS)?

Upgrade react-router to version 7.12.0 or higher.

>=7.0.0 <7.12.0

Cross-site Request Forgery (CSRF)

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) due to the improper origin checks of UI route submissions in server-side route action handlers in Framework Mode. An attacker can execute unauthorized actions by tricking a user into submitting a crafted POST request to a UI route.

Note:

This issue does not impact applications using Declarative Mode <BrowserRouter> or Data Mode createBrowserRouter/<RouterProvider>.

How to fix Cross-site Request Forgery (CSRF)?

Upgrade react-router to version 7.12.0 or higher.

>=7.0.0 <7.12.0

Cross-site Scripting (XSS)

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the ScrollRestoration API when using the getKey or storageKey props during server-side rendering in Framework Mode. An attacker can execute arbitrary JavaScript code by supplying untrusted content to generate the keys. This is only exploitable if server-side rendering is enabled in Framework Mode and untrusted input is used for key generation.

Note:

This issue does not impact applications using Declarative Mode <BrowserRouter> or Data Mode createBrowserRouter/<RouterProvider> and server-side rendering in Framework Mode is disabled.

How to fix Cross-site Scripting (XSS)?

Upgrade react-router to version 7.12.0 or higher.

>=7.0.0 <7.12.0

react-router@7.12.0-pre.0 vulnerabilities

Declarative routing for React

latest version

latest non vulnerable version

first published

latest version published

licenses detected

Direct Vulnerabilities

Fix vulnerabilities automatically