CVE-2026-21884
Type: Cross-Site Scripting (XSS)
Affected Software: React Router / @remix-run/react
Severity: High (per NVD advisory)
Description:
This issue exists in React Router’s <ScrollRestoration> API when used in Server-Side Rendering (SSR) Framework Mode with getKey/storageKey props. If untrusted content contributes to those keys during SSR, attackers can inject arbitrary JavaScript into rendered pages.
- The flaw only impacts SSR in Framework Mode (it does not affect Declarative Mode like
<BrowserRouter>or Data Mode). - Patched versions:
@remix-run/react2.17.3+react-router7.12.0+
Impact:
XSS vulnerabilities can allow attackers to execute scripts in the context of a user’s browser, potentially stealing cookies, session tokens, or performing actions on behalf of the user.
Mitigation:
Upgrade to the patched versions listed above or disable server-side rendering in Framework Mode.
CVE-2025-61686
Type: Path Traversal / Directory Traversal
Affected Software: @react-router/node, @remix-run/node, @remix-run/deno (session storage)
Severity: Critical — CVSS 3.1 9.1 (High confidentiality/integrity/availability impact)
Description:
This vulnerability occurs in the createFileSessionStorage() function when applications use unsigned cookies. An attacker can craft a malicious session cookie that includes directory traversal sequences (../…) to cause the application to read or write files outside the intended session storage directory.
- The exploitation depends on the file system permissions of the web server process.
- Reading arbitrary files does not directly return contents to the attacker, but if a target file matches session format, it may be loaded into server-side session data and later exposed by application logic.
Affected Versions:
@react-router/node>=7.0.0, <7.9.4@remix-run/node<2.17.2@remix-run/deno<2.17.2
Patched Versions:
@react-router/node7.9.4+@remix-run/node2.17.2+@remix-run/deno2.17.2+
Impact:
A successful exploit could lead to:
- Reading or modifying unauthorized files on the server (depending on permissions).
- Session poisoning or denial of service.
- Potential escalation to more severe impacts if writes can target executable or config files.
Mitigation:
- Update to the patched releases.
- Avoid using unsigned cookies for session storage.
- Restrict server file system permissions to limit what the web server process can access/modify.
Summary of Key Differences
| CVE ID | Type | Affected Component | Severity |
|---|---|---|---|
| CVE-2026-21884 | XSS (Client script injection) | React Router SSR ScrollRestoration | High |
| CVE-2025-61686 | Path Traversal/Directory Traversal | createFileSessionStorage in React Router/Remix | Critical |
