Launch Week Day 1: Announcing Security Design Review
Start for Free
HIGH 7.6 npm

React Router has XSS Vulnerability

GHSA-3cgp-3xvw-98x8 · CVE-2025-59057

Published · Modified

Description

A XSS vulnerability exists in in React Router's meta()/<Meta> APIs in Framework Mode when generating script:ld+json tags which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the tag.

[!NOTE]
This does not impact applications using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).

References

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes