React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, a XSS vulnerability exists in in React Router’s API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys. There is no impact if server-side rendering in Framework Mode is disabled, or if Declarative Mode () or Data Mode (createBrowserRouter/) is being used. This issue has been patched in @remix-run/react version 2.17.3 and react-router version 7.12.0.
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.
