React Router vulnerable to Denial of Service via reflected user input in single-fetch

GHSA-rxv8-25v2-qmq8 · CVE-2026-34077

Published Jun 4, 2026 · Modified Jun 4, 2026

Description

A DoS vulnerability exists in the React Router v7 Framework Mode, as well as Remix v2.9.0+ with Single Fetch enabled. In some scenarios the underlying serialization algorithm can become a bottleneck when encoding specific types of data into server responses. Please upgrade to React Router v7.14.0 or later.

[!NOTE]
This does not impact your React Router application if you are using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).

References

WEB https://github.com/remix-run/react-router/security/advisories/GHSA-rxv8-25v2-qmq8
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-34077
WEB https://github.com/remix-run/react-router/commit/59811921d3c7d599077b8cadccdcd65a233165e0
WEB https://github.com/jacob-ebey/turbo-stream/blob/v2.4.1/src/flatten.ts#L175-L177
WEB https://github.com/jacob-ebey/turbo-stream/blob/v2.4.1/src/unflatten.ts#L185-L189
PACKAGE https://github.com/remix-run/react-router

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes