GHSA-49rj-9fvp-4h2h

Suggest an improvement
Source
https://github.com/advisories/GHSA-49rj-9fvp-4h2h
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-49rj-9fvp-4h2h/GHSA-49rj-9fvp-4h2h.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-49rj-9fvp-4h2h
Aliases
  • CVE-2026-42211
Published
2026-06-03T21:03:32Z
Modified
2026-06-03T21:15:07.684176016Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE
Details

When using React Router v7 in Framework Mode, there exists a combination of steps that could potentially allow unauthorized RCE through external requests. This first requires the application code to have an existing prototype pollution vulnerability. This can be leveraged into a 2-step attack in which the second step can trigger unauthorized RCE on the remote server.

[!NOTE] This does not impact your React Router application if you are using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).

Database specific 
{
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-03T21:03:32Z",
    "severity": "HIGH",
    "nvd_published_at": "2026-06-02T20:16:36Z",
    "cwe_ids": [
        "CWE-502"
    ]
}
References

Affected packages

npm / react-router

Package

Name
react-router
View open source insights on deps.dev
Purl
pkg:npm/react-router

Affected ranges

Type
SEMVER
Events
Introduced
7.0.0
Fixed
7.14.2

Database specific

last_known_affected_version_range 
"<= 7.14.1"
source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-49rj-9fvp-4h2h/GHSA-49rj-9fvp-4h2h.json"