SECURITY teams have identified severe vulnerabilities in the popular React Router framework, affecting millions of applications globally. The critical issues include:
1. **Remote Code Execution**: A particularly dangerous vulnerability, CVE-2026-42211, requires an attacker to exploit prototype pollution to gain shell access on remote servers. Another related issue, CVE-2026-33245, allows for client-side cross-site scripting via untrusted JavaScript inputs.
2. **Denial of Service Vulnerabilities**: Two architecture flaws have been discovered:
- CVE-2026-34077, which affects applications in Framework Mode, triggering performance bottlenecks and potential crashes.
- CVE-2026-42342, affecting manifest endpoints, which can lead to severe memory consumption and degraded service for users.
To address these vulnerabilities, it is advised that developers upgrade to React Router version 7.15.0 or Remix version 2.17.5 immediately. Applications not running in Declarative Mode are not affected by these vulnerabilities.