Listen to this Post
How the CVE Works
React Router versions 7.7.0 through 7.13.1 using the unstable React Server Components (RSC) APIs contain a client‑side XSS flaw in how RSC redirects are processed. The root cause is failure to validate or sanitise the redirect target protocol when a redirect is initiated from a loader or action in RSC mode. An attacker who can control the redirect path (e.g., via a query parameter, form input, or database value) can supply a URL starting with javascript:. The RSC redirect handling inadvertently passes this `javascript:` URI to the client‑side navigation mechanism, which executes the embedded JavaScript in the context of the vulnerable application’s origin.
Because the redirect logic does not reject or neutralise `javascript:` URIs, any untrusted source that influences the redirect destination can lead to arbitrary script execution. This XSS enables the attacker to steal session tokens, perform actions on behalf of the victim, deface the page, or redirect the user to a malicious site. The vulnerability is only exploitable when the application relies on the unstable RSC APIs for redirects; applications using classic `
DailyCVE Form:
Platform: React Router
Version: 7.7.0 – 7.13.1
Vulnerability: XSS (javascript: redirect)
Severity: High (CVSS 8.0)
Date: 2026-06-02
Prediction: 2026-06-03 (patch v7.13.2)
What Undercode Say (Analytics + Bash Codes)
Check current React Router version (npm) npm list react-router List all installed versions (if multiple) npm list react-router --depth=0 Identify vulnerable ranges (7.7.0 ≤ version ≤ 7.13.1) npm audit | grep -A 5 "react-router" Or query directly (requires jq) npm info react-router versions --json | jq -r '.[]' | while read v; do if [[ "$v" =~ ^7.([7-9]|1[0-3]). ]]; then echo "Vulnerable: $v" elif [[ "$v" == "7.13.1" ]]; then echo "Vulnerable: $v" fi done
How Exploit
- Identify any endpoint that accepts a `redirect` parameter (e.g.,
?next=...) and uses React Router’s `redirect()` in an RSC loader/action.
2. Craft a payload: `javascript:alert(document.cookie)`
- Cause the application to redirect to that payload (e.g., by submitting a form that triggers the vulnerable loader).
- If successful, the script executes in the victim’s browser.
Protection
- Upgrade to React Router 7.13.2 or newer.
- If upgrade is not immediately possible, validate all redirect targets with an allow‑list (only
http:/https:), rejectingjavascript:,data:,vbscript:, etc. - Avoid passing user‑supplied input directly to `redirect()` when using unstable RSC APIs.
- Enable a Content Security Policy (CSP) that blocks `javascript:` navigation (e.g.,
script-src 'self').
Impact
- High – CVSS 8.0 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N).
- Attacker can execute arbitrary JavaScript in the victim’s browser, leading to session theft, account takeover, data exfiltration, and client‑side ransomware.
- Because redirects can be triggered without direct user interaction (e.g., via a link), the attack surface is wide.
- No known exploitation in the wild (not listed in CISA KEV), but the high severity demands immediate remediation.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
