logo

Database

Reflected cross-site scripting (XSS) In react-router

Description

React Router has XSS Vulnerability A XSS vulnerability exists in in React Router's meta()/<Meta> APIs in Framework Mode when generating script:ld+json tags which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the tag.

[!NOTE] This does not impact applications using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2025-590572. NVD-2025-590573. OSV-2025-590574. GHSA-3cgp-3xvw-98x85. GCVE-2025-59057

References

1. https://github.com/remix-run/react-router/security/advisories/GHSA-3cgp-3xvw-98x82. https://github.com/boroeurnprach/CVE-2025-59057-PoC

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.