Listen to this Post
CVE‑2026‑33244 describes a stored cross‑site scripting (XSS) flaw in React Router versions 7.5.1 through 7.13.1. The vulnerability only appears when Framework Mode is enabled together with prerendering (static site generation). In this configuration, the framework writes pre‑rendered HTML files that may contain an HTTP `Location` header value without proper escaping. If an attacker can control that value – for instance, by submitting a malicious redirect URL – the unescaped payload is embedded directly into the static HTML page. When a victim subsequently loads that page, the injected script executes in their browser. This is a stored (persistent) XSS because the malicious HTML file stays on the server and can affect every visitor until the file is regenerated or patched.
The root cause is improper neutralization of the `Location` header during the pre‑rendering pipeline. Internally, the framework returns a redirect response; the `Location` header is taken from an external source (e.g., user input or an untrusted API) and written into the generated `.html` file without output encoding. Because the static page does not participate in any later server‑side escaping, the injected markup (e.g., <script>alert(1)</script>) becomes part of the final DOM.
Applications using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) are not affected. The issue is fixed in version 7.13.2.
DailyCVE Form:
Platform: React Router
Version: 7.5.1‑7.13.1
Vulnerability: Stored XSS
Severity: Medium (5.4)
date: Jun 2 2026
Prediction: Patch by 2026‑06‑02
What Undercode Say:
Check if your project is using a vulnerable version npm list react-router | grep -E "7.[5-9].|7.1[0-3]." Simulate the vulnerable behaviour (PoC – do NOT run on production) curl -X GET "https://vulnerable-app.com/redirect?to=%3Cscript%3Ealert%28%27xss%27%29%3C%2Fscript%3E"
// Vulnerable route example (Framework Mode + prerendering)
export const loader = ({ request }) => {
const url = new URL(request.url);
const target = url.searchParams.get("to");
// Unsanitized Location header written to prerendered HTML
return redirect(target);
};
Exploit:
An attacker crafts a URL that points to a redirect endpoint of a vulnerable React Router site. The `to` parameter contains a JavaScript payload:
`https://victim.com/redirect?to=javascript:alert%28%27XSS%27%29`
Because the `Location` header is written without escaping into the prerendered HTML file, the payload executes when a user visits the generated page. The attacker can steal cookies, session tokens, or perform actions on behalf of the victim.
Protection:
- Upgrade to React Router 7.13.2 or later.
- If upgrading is not immediately possible, disable prerendering for any routes that accept redirect targets from untrusted sources.
- Sanitise all `Location` header values before they are passed to a redirect function (use a whitelist of allowed domains).
- Deploy a Content Security Policy (CSP) that restricts script execution to trusted sources.
Impact:
- Session hijacking – The attacker can steal authentication cookies or tokens.
- Data theft – Sensitive information (localStorage, sessionStorage, DOM content) can be exfiltrated.
- Defacement – Malicious scripts can alter the page appearance or behaviour.
- Persistent infection – The malicious HTML file remains on the server, affecting all subsequent visitors until the file is regenerated.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
