← Back

CVE-2025-59057

nvd nist
Published: Jan 10, 2026Modified: Jan 30, 2026

JSON object

Loading...
7.6
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
Exploitability: 2.3 / Impact: 4.7
Source: security-advisories@github.com (Secondary)

Description

React Router is a router for React. In @remix-run/react versions 1.15.0 through 2.17.0. and react-router versions 7.0.0 through 7.8.2, a XSS vulnerability exists in in React Router's meta()/<Meta> APIs in Framework Mode when generating script:ld+json tags which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the tag. There is no impact if the application is being used in Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>). This issue has been patched in @remix-run/react version 2.17.1 and react-router version 7.9.0.

Affected (2)

Shopify
2 products
React Router
Remix Run/react
Configuration A
2 vulnerable
Vulnerable SoftwareAffected Versions
React Router
From 7.0.0 to 7.8.2
Remix Run/react
From 1.15.0 to 2.17.0

Related CWEs

CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

References (1)

Source: security-advisories@github.com
Third Party Advisory

Timeline

No history available yet.