Listen to this Post
CVE-2026-42342: Denial-of-Service via Unbounded Path Expansion in `__manifest` Endpoint
The vulnerability arises in React Router’s Framework Mode and in Remix applications (versions 7.0.0–7.14.x of `react-router` and 2.10.0–2.17.4 of @remix-run/server-runtime).
At its core, a specially crafted HTTP request to the internal `__manifest` endpoint triggers an unbounded path expansion routine. The server-side code that processes these manifests does not enforce any limit on the depth or complexity of the path segments submitted.
When an attacker sends a path string with many deeply nested or repeated segments (e.g., `/a/a/a/a/…` up to thousands of levels), the application attempts to expand and resolve each segment recursively. Because there is no upper bound on the number of expansions, this leads to an exponential or quasi‑exponential increase in memory and CPU usage.
The server spends an excessive amount of time parsing the path, building intermediate data structures, and performing filesystem‑like resolutions. As a result, the request consumes far more resources than a legitimate one would.
With enough such malicious requests, the server’s resources become saturated. Response times degrade significantly, and eventually the service becomes unavailable for all users—a classic uncontrolled resource consumption flaw (CWE‑400).
The vulnerability is remotely exploitable over HTTP, requires no authentication, and can be triggered from the public internet.
It does not affect applications using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).
DailyCVE Form:
Platform: React Router/Remix
Version : 7.0.0‑7.14.x / 2.10.0‑2.17.4
Vulnerability : Unbounded path expansion
Severity : High (CVSS 7.5)
date : 2026‑06‑02
Prediction : 2026‑06‑03 (patch in 7.15.0/2.17.5)
What Undercode Say:
“The `__manifest` endpoint in Framework Mode recursively expands route paths without limits. An attacker can send a request like `/_manifest?route=deeply/nested/path` with hundreds of segments, causing CPU exhaustion.”
Analytics – Monitor for anomalies targeting `__manifest`:
Check for unusual request rates to __manifest
grep -c "__manifest" /var/log/nginx/access.log
Visualize top paths hitting the endpoint
awk -F '"' '/__manifest/ {print $2}' /var/log/nginx/access.log | sort | uniq -c | sort -nr
Proof‑of‑Concept (curl) – Exploit the unbounded expansion:
Craft a request with 500 nested path segments
NESTED=$(printf 'a/%.0s' {1..500})
curl "https://victim.com/__manifest?route=${NESTED}"
Protection – Immediate steps:
- Upgrade to `[email protected]` or
@remix-run/[email protected]. - If upgrade is not possible, apply a web application firewall (WAF) rule to block requests with deep `route` parameters:
location /__manifest { if ($arg_route ~ "^([^/]+/){100,}") { return 403; } proxy_pass http://backend; } - Enable rate limiting on the `__manifest` endpoint (e.g., 10 req/min per IP).
Impact – Successful exploitation leads to:
- Severe CPU and memory exhaustion
- Degraded response times (latency spikes from ms → seconds)
- Full denial of service (application becomes unresponsive)
- No data breach or privilege escalation—purely availability impact
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
