chore(deps): update dependency react-router to v7.15.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
react-router (source)	7.13.0 → 7.15.0

---

React Router has stored XSS via unescaped Location header in prerendered redirect HTML

CVE-2026-33244 / GHSA-f22v-gfqf-p8f3

More information

Details

When using React Router v7 Framework Mode with Pre-rendering enabled, an improper neutralization of the HTTP Location header value can permit Cross-Site Scripting (XSS) in statically generated HTML files if the redirect location comes from an untrusted source.

[!NOTE]
This does not impact your React Router application if you are using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).

Severity

• CVSS Score: 5.4 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References

• https://github.com/remix-run/react-router/security/advisories/GHSA-f22v-gfqf-p8f3
• https://nvd.nist.gov/vuln/detail/CVE-2026-33244
• https://github.com/advisories/GHSA-f22v-gfqf-p8f3

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

React Router vulnerable to XSS in unstable RSC redirect handling via javascript: redirect targets

CVE-2026-33245 / GHSA-8646-j5j9-6r62

More information

Details

When using React Router v7's unstable RSC APIs, there exists a potential client-side XSS issue in the RSC redirect handling if redirects are coming from untrusted sources

[!NOTE]
This only impacts your application if you are using the unstable RSC APIs in React Router.

Severity

• CVSS Score: 8.0 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

References

• https://github.com/remix-run/react-router/security/advisories/GHSA-8646-j5j9-6r62
• https://nvd.nist.gov/vuln/detail/CVE-2026-33245
• https://github.com/advisories/GHSA-8646-j5j9-6r62

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

React Router's same-origin redirect with path starting // causes open redirect via protocol-relative URL reinterpretation

CVE-2026-40181 / GHSA-2j2x-hqr9-3h42

More information

Details

Certain URLs passed to the redirect function can trigger an open redirect to an external domain depending on the level of validation done by the application prior to returning the redirect.

[!NOTE]
This does not impact your React Router application if you are using Declarative Mode (<BrowserRouter>)

Severity

• CVSS Score: 6.6 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

References

• https://github.com/remix-run/react-router/security/advisories/GHSA-2j2x-hqr9-3h42
• https://nvd.nist.gov/vuln/detail/CVE-2026-40181
• https://github.com/advisories/GHSA-2j2x-hqr9-3h42

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE

CVE-2026-42211 / GHSA-49rj-9fvp-4h2h

More information

Details

When using React Router v7 in Framework Mode, there exists a combination of steps that could potentially allow unauthorized RCE through external requests. This first requires the application code to have an existing prototype pollution vulnerability. This can be leveraged into a 2-step attack in which the second step can trigger unauthorized RCE on the remote server.

[!NOTE]
This does not impact your React Router application if you are using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).

Severity

• CVSS Score: 8.1 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

• https://github.com/remix-run/react-router/security/advisories/GHSA-49rj-9fvp-4h2h
• https://nvd.nist.gov/vuln/detail/CVE-2026-42211
• https://github.com/advisories/GHSA-49rj-9fvp-4h2h

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint

CVE-2026-42342 / GHSA-8x6r-g9mw-2r78

More information

Details

There exists a potential DOS attack vector in React Router Framework Mode applications (as well as Remix v2.10.0 - 2.17.4). Certain requests can be crafted to consume disproportionate resources on the server, resulting in response time degredation and/or service unavailability for end users.

[!NOTE]
This does not impact your React Router application if you are using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/remix-run/react-router/security/advisories/GHSA-8x6r-g9mw-2r78
• https://nvd.nist.gov/vuln/detail/CVE-2026-42342
• https://github.com/advisories/GHSA-8x6r-g9mw-2r78

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

remix-run/react-router (react-router)

v7.15.0

Compare Source

Minor Changes

• Stabilize unstable_defaultShouldRevalidate as defaultShouldRevalidate on <Link>, <Form>, useLinkClickHandler, useSubmit, fetcher.submit, and setSearchParams (a993f09)

  • ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly

• Stabilize the instrumentation APIs. unstable_instrumentations is now instrumentations and unstable_pattern is now pattern (a993f09)

  • The unstable_ServerInstrumentation, unstable_ClientInstrumentation, unstable_InstrumentRequestHandlerFunction, unstable_InstrumentRouterFunction, unstable_InstrumentRouteFunction, and unstable_InstrumentationHandlerResult types have had their unstable_ prefixes removed
  • ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly

• Stabilize unstable_mask as mask on <Link>, useLinkClickHandler, and useNavigate, and rename the corresponding Location.unstable_mask field to Location.mask (a993f09)

  • ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly

• Stabilize the unstable_normalizePath option on staticHandler.query and staticHandler.queryRoute as normalizePath (a993f09)

  • ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly

• Stabilize future.unstable_passThroughRequests as future.v8_passThroughRequests (a993f09)

  • ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly

• Remove unstable_subResourceIntegrity from the runtime FutureConfig type; the flag is now controlled by the top-level subResourceIntegrity option in react-router.config.ts (a993f09)

  • ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly

• Stabilize unstable_url as url on loader, action, and middleware function args (a993f09)

  • ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly

• Stabilize unstable_useTransitions as useTransitions on <BrowserRouter>, <HashRouter>, <HistoryRouter>, <MemoryRouter>, <Router>, <RouterProvider>, <HydratedRouter>, and useLinkClickHandler (a993f09)

  • ⚠️ This is a breaking change if you have already opted into the unstable version - you will need to update your code accordingly

Patch Changes

• Add nonce to <Scripts> <link rel="modulepreload"> elements (if provided) (af5d49b)

• Fix a bug with unstable_defaultShouldRevalidate={false} where parent routes that did not export a shouldRevalidate function could be incorrectly included in the single fetch call for new child route data (#​15012)

• Improve server-side route matching performance by pre-computing flattened/cached route branches (#​14967) (af5d49b)

  • Performance benchmarks showed roughly a 10-15% improvement in server-side request handling performance

• Mark mask as an optional field in Location for easier mocking in unit tests (#​14999)

• Cache flattened/ranked route branches to optimize server-side route matching (#​14967)

• Improve route matching performance in Framework/Data Mode (#​14971) (af5d49b)

  • Avoiding unnecessary calls to matchRoutes in data router scenarios
    • This includes adding back the optimization that was removed in 7.6.0 (#​13562)
    • The issues that prompted the revert have been addressed by using the available router matches but always updating match.route to the latest route in the manifest
  • Leverage pre-computed pre-computing flattened/cached route branches during client side route matching
  • Performance benchmarks showed roughly a 15-30% improvement in server-side request handling performance

v7.14.2

Compare Source

Patch Changes

• Remove the un-documented custom error serialization logic from the internal turbo-stream implementation. React Router only automatically handles serialization of Error and it's standard subtypes (SyntaxError, TypeError, etc.). ([aabf4a1)

• Properly handle parent middleware redirects during fetcher.load ([aabf4a1)

• Remove redundant Omit<RouterProviderProps, "flushSync"> from react-router/dom RouterProvider ([aabf4a1)

• Improved types for generatePath's param arg ([aabf4a1)

  Type errors when required params are omitted:

  // Before
  // Passes type checks, but throws at runtime 💥
  generatePath(":required", { required: null });
  
  // After
  generatePath(":required", { required: null });
  //                          ^^^^^^^^ Type 'null' is not assignable to type 'string'.ts(2322)

  Allow omission of optional params:

  // Before
  generatePath(":optional?", {});
  //                         ^^ Property 'optional' is missing in type '{}' but required in type '{ optional: string | null | undefined; }'.ts(2741)
  
  // After
  generatePath(":optional?", {});

  Allows extra keys:

  // Before
  generatePath(":a", { a: "1", b: "2" });
  //                           ^ Object literal may only specify known properties, and 'b' does not exist in type '{ a: string; }'.ts(2353)
  
  // After
  generatePath(":a", { a: "1", b: "2" });

v7.14.1

Compare Source

Patch Changes

• Fix a potential race condition that can occur when rendering a HydrateFallback and initial loaders land before the router.subscribe call happens in the RouterProvider layout effect
• Normalize double-slashes in redirect paths

v7.14.0

Compare Source

Patch Changes

• UNSTABLE RSC FRAMEWORK MODE BREAKING CHANGE - Existing route module exports remain unchanged from stable v7 non-RSC mode, but new exports are added for RSC mode. If you want to use RSC features, you will need to update your route modules to export the new annotations. (#​14901)

  If you are using RSC framework mode currently, you will need to update your route modules to the new conventions. The following route module components have their own mutually exclusive server component counterparts:

  Server Component Export	Client Component
  ServerComponent	default
  ServerErrorBoundary	ErrorBoundary
  ServerLayout	Layout
  ServerHydrateFallback	HydrateFallback

  If you were previously exporting a ServerComponent, your ErrorBoundary, Layout, and HydrateFallback were also server components. If you want to keep those as server components, you can rename them and prefix them with Server. If you were previously importing the implementations of those components from a client module, you can simply inline them.

  Example:

  Before

  import { ErrorBoundary as ClientErrorBoundary } from "./client";
  
  export function ServerComponent() {
    // ...
  }
  
  export function ErrorBoundary() {
    return <ClientErrorBoundary />;
  }
  
  export function Layout() {
    // ...
  }
  
  export function HydrateFallback() {
    // ...
  }

  After

  export function ServerComponent() {
    // ...
  }
  
  export function ErrorBoundary() {
    // previous implementation of ClientErrorBoundary, this is now a client component
  }
  
  export function ServerLayout() {
    // rename previous Layout export to ServerLayout to make it a server component
  }
  
  export function ServerHydrateFallback() {
    // rename previous HydrateFallback export to ServerHydrateFallback to make it a server component
  }

• rsc Link prefetch (#​14902)

• Remove recursion from turbo-stream v2 allowing for encoding / decoding of massive payloads. (#​14838)

• encodeViaTurboStream leaked memory via unremoved AbortSignal listener (#​14900)

v7.13.2

Compare Source

Patch Changes

• Fix clientLoader.hydrate when an ancestor route is also hydrating a clientLoader (#​14835)

• Fix type error when passing Framework Mode route components using Route.ComponentProps to createRoutesStub (#​14892)

• Fix percent encoding in relative path navigation (#​14786)

• Add future.unstable_passThroughRequests flag (#​14775)

  By default, React Router normalizes the request.url passed to your loader, action, and middleware functions by removing React Router's internal implementation details (.data suffixes, index + _routes query params).

  Enabling this flag removes that normalization and passes the raw HTTP request instance to your handlers. This provides a few benefits:

  • Reduces server-side overhead by eliminating multiple new Request() calls on the critical path
  • Allows you to distinguish document from data requests in your handlers base don the presence of a .data suffix (useful for observability purposes)

  If you were previously relying on the normalization of request.url, you can switch to use the new sibling unstable_url parameter which contains a URL instance representing the normalized location:

  // ❌ Before: you could assume there was no `.data` suffix in `request.url`
  export async function loader({ request }: Route.LoaderArgs) {
    let url = new URL(request.url);
    if (url.pathname === "/path") {
      // This check will fail with the flag enabled because the `.data` suffix will
      // exist on data requests
    }
  }
  
  // ✅ After: use `unstable_url` for normalized routing logic and `request.url`
  // for raw routing logic
  export async function loader({ request, unstable_url }: Route.LoaderArgs) {
    if (unstable_url.pathname === "/path") {
      // This will always have the `.data` suffix stripped
    }
  
    // And now you can distinguish between document versus data requests
    let isDataRequest = new URL(request.url).pathname.endsWith(".data");
  }

• Internal refactor to consolidate framework-agnostic/React-specific route type layers - no public API changes (#​14765)

• Sync protocol validation to rsc flows (#​14882)

• Add a new unstable_url: URL parameter to route handler methods (loader, action, middleware, etc.) representing the normalized URL the application is navigating to or fetching, with React Router implementation details removed (.datasuffix, index/_routes query params) (#​14775)

  This is being added alongside the new future.unstable_passthroughRequests future flag so that users still have a way to access the normalized URL when that flag is enabled and non-normalized request's are being passed to your handlers. When adopting this flag, you will only need to start leveraging this new parameter if you are relying on the normalization of request.url in your application code.

  If you don't have the flag enabled, then unstable_url will match request.url.

v7.13.1

Compare Source

Patch Changes

• fix null reference exception in bad codepath leading to invalid route tree comparisons (#​14780)

• fix: clear timeout when turbo-stream encoding completes (#​14810)

• Improve error message when Origin header is invalid (#​14743)

• Fix matchPath optional params matching without a "/" separator. (#​14689)

  • matchPath("/users/:id?", "/usersblah") now returns null.
  • matchPath("/test_route/:part?", "/test_route_more") now returns null.

• add RSC unstable_getRequest (#​14758)

• Fix HydrateFallback rendering during initial lazy route discovery with matching splat route (#​14740)

• [UNSTABLE] Add support for <Link unstable_mask> in Data Mode which allows users to navigate to a URL in the router but "mask" the URL displayed in the browser. This is useful for contextual routing usages such as displaying an image in a model on top of a gallery, but displaying a browser URL directly to the image that can be shared and loaded without the contextual gallery in the background. (#​14716)

  // routes/gallery.tsx
  export function clientLoader({ request }: Route.LoaderArgs) {
    let sp = new URL(request.url).searchParams;
    return {
      images: getImages(),
      // When the router location has the image param, load the modal data
      modalImage: sp.has("image") ? getImage(sp.get("image")!) : null,
    };
  }
  
  export default function Gallery({ loaderData }: Route.ComponentProps) {
    return (
      <>
        <GalleryGrid>
          {loaderData.images.map((image) => (
            <Link
              key={image.id}
              {/* Navigate the router to /galley?image=N */}}
              to={`/gallery?image=${image.id}`}
              {/* But display /images/N in the URL bar */}}
              unstable_mask={`/images/${image.id}`}
            >
              <img src={image.url} alt={image.alt} />
            </Link>
          ))}
        </GalleryGrid>
  
        {/* When the modal data exists, display the modal */}
        {data.modalImage ? (
          <dialog open>
            <img src={data.modalImage.url} alt={data.modalImage.alt} />
          </dialog>
        ) : null}
      </>
    );
  }

  Notes:

  • The masked location, if present, will be available on useLocation().unstable_mask so you can detect whether you are currently masked or not.
  • Masked URLs only work for SPA use cases, and will be removed from history.state during SSR.
  • This provides a first-class API to mask URLs in Data Mode to achieve the same behavior you could do in Declarative Mode via manual backgroundLocation management.

• RSC: Update failed origin checks to return a 400 status and appropriate UI instead of a generic 500 (#​14755)

• Preserve query parameters and hash on manifest version mismatch reload (#​14813)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.