Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1310 CNY

100%
Buy Us a Coffee

CVE-2026-42342— React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint

CVSS 7.5 · High

Affected Version Matrix 2

VendorProductVersion RangeStatus
remix-run@remix-run/server-runtime>= 2.10.0, < 2.17.5affected
remix-runreact-router>= 7.0.0, < 7.15.0affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-42342

Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint
Source: NVD (National Vulnerability Database)
Vulnerability Description
React Router is a router for React. In versions 7.0.0 through 7.14.x of react-router and versions 2.10.0 through 2.17.4 of @remix-run/server-runtime, certain crafted requests can consume disproportionate server resources via unbounded path expansion in the __manifest endpoint, resulting in response time degradation and/or service unavailability for end users. This affects React Router Framework Mode applications as well as Remix applications. This does not impact applications using Declarative Mode (`<BrowserRouter>`) or Data Mode (`createBrowserRouter/<RouterProvider>`). This is patched in react-router version 7.15.0 and @remix-run/server-runtime version 2.17.5.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
未加控制的资源消耗(资源穷尽)
Source: NVD (National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
remix-runreact-router >= 7.0.0, < 7.15.0 -
remix-run@remix-run/server-runtime >= 2.10.0, < 2.17.5 -

II. Public POCs for CVE-2026-42342

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium
Qwen3.6-35B-A3B · 7837 chars
Pro+ exclusive includes:
Vulnerability reproduction recording (real sandbox build + trigger, exclusive)
In-depth vulnerability mechanism
Trigger conditions & impact
Full executable POC code
Exploit chain & mitigation
POC zip download
100+ AI POC generations per month

III. Intelligence Information for CVE-2026-42342

登录查看更多情报信息。

Vendor Advisories for CVE-2026-42342 (1)

Same Patch Batch · remix-run · 2026-06-02 · 6 CVEs total

CVE-2026-422118.1 HIGHReact Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_E
CVE-2026-332458.0 HIGHReact Router vulnerable to XSS in unstable RSC redirect handling via javascript: redirect
CVE-2026-340777.5 HIGHReact Router vulnerable to Denial of Service via reflected user input in single-fetch
CVE-2026-332445.4 MEDIUMReact Router has stored XSS via unescaped Location header in prerendered redirect HTML
CVE-2026-40181React Router's same-origin redirect with path starting // causes open redirect via protoco

IV. Related Vulnerabilities

Same product: react-router
Same vendor: remix-run
Same weakness: CWE-400

V. Comments for CVE-2026-42342

No comments yet

Leave a comment