logo

Database

Asymmetric denial of service - ReDoS In react-router

Description

React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint There exists a potential DOS attack vector in React Router Framework Mode applications (as well as Remix v2.10.0 - 2.17.4). Certain requests can be crafted to consume disproportionate resources on the server, resulting in response time degredation and/or service unavailability for end users.

[!NOTE] This does not impact your React Router application if you are using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2026-423422. NVD-2026-423423. OSV-2026-423424. GHSA-8x6r-g9mw-2r785. GCVE-2026-42342

References

1. https://github.com/remix-run/react-router/security/advisories/GHSA-8x6r-g9mw-2r78

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.