GHSA-8x6r-g9mw-2r78
Suggest an improvement- Source
- https://github.com/advisories/GHSA-8x6r-g9mw-2r78
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-8x6r-g9mw-2r78/GHSA-8x6r-g9mw-2r78.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-8x6r-g9mw-2r78
- Aliases
-
- CVE-2026-42342
- Related
- Published
- 2026-06-03T21:05:17Z
- Modified
- 2026-06-08T17:44:21.326890112Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
- Summary
- React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint
- Details
-
There exists a potential DOS attack vector in React Router Framework Mode applications (as well as Remix v2.10.0 - 2.17.4). Certain requests can be crafted to consume disproportionate resources on the server, resulting in response time degredation and/or service unavailability for end users.
[!NOTE] This does not impact your React Router application if you are using Declarative Mode (
<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>). - Database specific
{ "github_reviewed_at": "2026-06-03T21:05:17Z", "nvd_published_at": "2026-06-02T20:16:36Z", "severity": "HIGH", "github_reviewed": true, "cwe_ids": [ "CWE-400" ] }- References
Affected packages
npm / react-router
Package
- Name
- react-router
- View open source insights on deps.dev
- Purl
- pkg:npm/react-router
npm / @remix-run/server-runtime
Package
- Name
- @remix-run/server-runtime
- View open source insights on deps.dev
- Purl
- pkg:npm/%40remix-run%2Fserver-runtime