A DoS vulnerability exists in the React Router v7 Framework Mode, as well as Remix v2.9.0+ with Single Fetch enabled. In some scenarios the underlying serialization algorithm can become a bottleneck when encoding specific types of data into server responses. Please upgrade to React Router v7.14.0 or later.
[!NOTE] This does not impact your React Router application if you are using Declarative Mode (
<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).
{
"nvd_published_at": "2026-06-02T20:16:34Z",
"severity": "HIGH",
"cwe_ids": [
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2026-06-04T15:23:51Z"
}