Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2026-34077— React Router vulnerable to Denial of Service via reflected user input in single-fetch

CVSS 7.5 · High

Possible ATT&CK Techniques 1AI

T1189 · Drive-by Compromise

Affected Version Matrix 2

VendorProductVersion RangeStatus
remix-runreact-router>= 7.0.0, < 7.14.0affected
remix-runturbo-stream< 3.0.0affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-34077

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
React Router vulnerable to Denial of Service via reflected user input in single-fetch
Source: NVD (National Vulnerability Database)
Vulnerability Description
React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components (RSC) APIs, there is a potential client-side Cross-Site Scripting (XSS) vulnerability in the RSC redirect handling if redirects come from untrusted sources. This does not impact applications that are not using the unstable RSC APIs in React Router. This is patched in version 7.13.2.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
不加限制或调节的资源分配
Source: NVD (National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
remix-runreact-router >= 7.0.0, < 7.14.0 -
remix-runturbo-stream < 3.0.0 -

II. Public POCs for CVE-2026-34077

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium
Qwen3.6-35B-A3B · 7978 chars
Pro+ exclusive includes:
Vulnerability reproduction recording (real sandbox build + trigger, exclusive)
In-depth vulnerability mechanism
Trigger conditions & impact
Full executable POC code
Exploit chain & mitigation
POC zip download
100+ AI POC generations per month

III. Intelligence Information for CVE-2026-34077

登录查看更多情报信息。

Vendor Advisories for CVE-2026-34077 (1)

Same Patch Batch · remix-run · 2026-06-02 · 6 CVEs total

CVE-2026-422118.1 HIGHReact Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_E
CVE-2026-332458.0 HIGHReact Router vulnerable to XSS in unstable RSC redirect handling via javascript: redirect
CVE-2026-423427.5 HIGHReact Router vulnerable to DoS via unbounded path expansion in __manifest endpoint
CVE-2026-332445.4 MEDIUMReact Router has stored XSS via unescaped Location header in prerendered redirect HTML
CVE-2026-40181React Router's same-origin redirect with path starting // causes open redirect via protoco

IV. Related Vulnerabilities

Same product: react-router
Same vendor: remix-run
Same weakness: CWE-770

V. Comments for CVE-2026-34077

No comments yet

Leave a comment