chore(deps): update dependency react-router to v7.15.0 [security]#42
Open
renovate[bot] wants to merge 1 commit into
Open
chore(deps): update dependency react-router to v7.15.0 [security]#42renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
|
❌ Deploy Preview for vektorprogrammet-dashboard failed.
|
4606eb2 to
e052cc3
Compare
e052cc3 to
035ee48
Compare
035ee48 to
9a854c1
Compare
9a854c1 to
f4437aa
Compare
f4437aa to
2febab5
Compare
2febab5 to
0a4fdd2
Compare
|
❌ The last analysis has failed. |
0a4fdd2 to
b90f9d5
Compare
❌ Deploy Preview for vektorprogrammet-dashboard failed.
|
b90f9d5 to
0e36f47
Compare
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.



This PR contains the following updates:
7.5.2→7.15.0React Router allows a DoS via cache poisoning by forcing SPA mode
CVE-2025-43864 / GHSA-f46r-rw29-r322
More information
Details
Summary
After some research, it turns out that it is possible to force an application to switch to SPA mode by adding a header to the request. If the application uses SSR and is forced to switch to SPA, this causes an error that completely corrupts the page. If a cache system is in place, this allows the response containing the error to be cached, resulting in a cache poisoning that strongly impacts the availability of the application.
Details
The vulnerable header is
X-React-Router-SPA-Mode; adding it to a request sent to a page/endpoint using a loader throws an error. Here is the vulnerable code :To use the header, React-router must be used in Framework mode, and for the attack to be possible the target page must use a loader.
Steps to reproduce
Versions used for our PoC:
routes/ssr)/ssrin our case) adding the following header:Notice the difference between a request with and without the header;
Normal request

With the header


Impact
If a system cache is in place, it is possible to poison the response by completely altering its content (by an error message), strongly impacting its availability, making the latter impractical via a cache-poisoning attack.
Credits
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
React Router has XSS Vulnerability
CVE-2025-59057 / GHSA-3cgp-3xvw-98x8
More information
Details
A XSS vulnerability exists in in React Router's
meta()/<Meta>APIs in Framework Mode when generatingscript:ld+jsontags which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the tag.Severity
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
React Router has unexpected external redirect via untrusted paths
CVE-2025-68470 / GHSA-9jcx-v3wj-wh4m
More information
Details
An attacker-supplied path can be crafted so that when a React Router application navigates to it via
navigate(),<Link>, orredirect(), the app performs a navigation/redirect to an external URL. This is only an issue if developers pass untrusted content into navigation paths in their application code.Severity
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
React Router SSR XSS in ScrollRestoration
CVE-2026-21884 / GHSA-8v8x-cx79-35w7
More information
Details
A XSS vulnerability exists in in React Router's
<ScrollRestoration>API in Framework Mode when using thegetKey/storageKeyprops during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys.Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
React Router vulnerable to XSS via Open Redirects
CVE-2026-22029 / GHSA-2w69-qvjg-hvjx
More information
Details
React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if developers are creating redirect paths from untrusted content or via an open redirect.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
React Router has CSRF issue in Action/Server Action Request Processing
CVE-2026-22030 / GHSA-h5cw-625j-3rxh
More information
Details
React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route
actionhandlers in Framework Mode, or when using React Server Actions in the new unstable RSC modes.Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
React Router allows pre-render data spoofing on React-Router framework mode
CVE-2025-43865 / GHSA-cpj6-fhp6-mr6j
More information
Details
Summary
After some research, it turns out that it's possible to modify pre-rendered data by adding a header to the request. This allows to completely spoof its contents and modify all the values of the data object passed to the HTML. Latest versions are impacted.
Details
The vulnerable header is
X-React-Router-Prerender-Data, a specific JSON object must be passed to it in order for the spoofing to be successful as we will see shortly. Here is the vulnerable code :To use the header, React-router must be used in Framework mode, and for the attack to be possible the target page must use a loader.
Steps to reproduce
Versions used for our PoC:
routes/ssr).data. In our case the page is called/ssr:We access it by adding the suffix
.dataand retrieve the data object, needed for the header:X-React-Router-Prerender-Dataheader with the previously retrieved object as its value. You can change any value of yourdataobject (do not touch the other values, the latter being necessary for the object to be processed correctly and not throw an error):As you can see, all values have been changed/overwritten by the values provided via the header.
Impact
The impact is significant, if a cache system is in place, it is possible to poison a response in which all of the data transmitted via a loader would be altered by an attacker allowing him to take control of the content of the page and modify it as he wishes via a cache-poisoning attack. This can lead to several types of attacks including potential stored XSS depending on the context in which the data is injected and/or how the data is used on the client-side.
Credits
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
React Router has stored XSS via unescaped Location header in prerendered redirect HTML
CVE-2026-33244 / GHSA-f22v-gfqf-p8f3
More information
Details
When using React Router v7 Framework Mode with Pre-rendering enabled, an improper neutralization of the HTTP
Locationheader value can permit Cross-Site Scripting (XSS) in statically generated HTML files if the redirect location comes from an untrusted source.Severity
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
React Router's same-origin redirect with path starting // causes open redirect via protocol-relative URL reinterpretation
CVE-2026-40181 / GHSA-2j2x-hqr9-3h42
More information
Details
Certain URLs passed to the
redirectfunction can trigger an open redirect to an external domain depending on the level of validation done by the application prior to returning theredirect.Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:UReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE
CVE-2026-42211 / GHSA-49rj-9fvp-4h2h
More information
Details
When using React Router v7 in Framework Mode, there exists a combination of steps that could potentially allow unauthorized RCE through external requests. This first requires the application code to have an existing prototype pollution vulnerability. This can be leveraged into a 2-step attack in which the second step can trigger unauthorized RCE on the remote server.
Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint
CVE-2026-42342 / GHSA-8x6r-g9mw-2r78
More information
Details
There exists a potential DOS attack vector in React Router Framework Mode applications (as well as Remix v2.10.0 - 2.17.4). Certain requests can be crafted to consume disproportionate resources on the server, resulting in response time degredation and/or service unavailability for end users.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
React Router vulnerable to Denial of Service via reflected user input in single-fetch
CVE-2026-34077 / GHSA-rxv8-25v2-qmq8
More information
Details
A DoS vulnerability exists in the React Router v7 Framework Mode, as well as Remix v2.9.0+ with Single Fetch enabled. In some scenarios the underlying serialization algorithm can become a bottleneck when encoding specific types of data into server responses. Please upgrade to React Router v7.14.0 or later.
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
remix-run/react-router (react-router)
v7.15.0Compare Source
Minor Changes
Stabilize
unstable_defaultShouldRevalidateasdefaultShouldRevalidateon<Link>,<Form>,useLinkClickHandler,useSubmit,fetcher.submit, andsetSearchParams(a993f09)Stabilize the instrumentation APIs.
unstable_instrumentationsis nowinstrumentationsandunstable_patternis nowpattern(a993f09)unstable_ServerInstrumentation,unstable_ClientInstrumentation,unstable_InstrumentRequestHandlerFunction,unstable_InstrumentRouterFunction,unstable_InstrumentRouteFunction, andunstable_InstrumentationHandlerResulttypes have had theirunstable_prefixes removedStabilize
unstable_maskasmaskon<Link>,useLinkClickHandler, anduseNavigate, and rename the correspondingLocation.unstable_maskfield toLocation.mask(a993f09)Stabilize the
unstable_normalizePathoption onstaticHandler.queryandstaticHandler.queryRouteasnormalizePath(a993f09)Stabilize
future.unstable_passThroughRequestsasfuture.v8_passThroughRequests(a993f09)Remove
unstable_subResourceIntegrityfrom the runtimeFutureConfigtype; the flag is now controlled by the top-levelsubResourceIntegrityoption inreact-router.config.ts(a993f09)Stabilize
unstable_urlasurlonloader,action, andmiddlewarefunction args (a993f09)Stabilize
unstable_useTransitionsasuseTransitionson<BrowserRouter>,<HashRouter>,<HistoryRouter>,<MemoryRouter>,<Router>,<RouterProvider>,<HydratedRouter>, anduseLinkClickHandler(a993f09)Patch Changes
Add
nonceto<Scripts><link rel="modulepreload">elements (if provided) (af5d49b)Fix a bug with
unstable_defaultShouldRevalidate={false}where parent routes that did not export ashouldRevalidatefunction could be incorrectly included in the single fetch call for new child route data (#15012)Improve server-side route matching performance by pre-computing flattened/cached route branches (#14967) (af5d49b)
Mark
maskas an optional field inLocationfor easier mocking in unit tests (#14999)Cache flattened/ranked route branches to optimize server-side route matching (#14967)
Improve route matching performance in Framework/Data Mode (#14971) (af5d49b)
matchRoutesin data router scenarios7.6.0(#13562)matchesbut always updatingmatch.routeto the latest route in themanifestv7.14.2Compare Source
Patch Changes
Remove the un-documented custom error serialization logic from the internal turbo-stream implementation. React Router only automatically handles serialization of
Errorand it's standard subtypes (SyntaxError,TypeError, etc.). ([aabf4a1)Properly handle parent middleware redirects during
fetcher.load([aabf4a1)Remove redundant
Omit<RouterProviderProps, "flushSync">fromreact-router/domRouterProvider([aabf4a1)Improved types for
generatePath'sparamarg ([aabf4a1)Type errors when required params are omitted:
Allow omission of optional params:
Allows extra keys:
v7.14.1Compare Source
Patch Changes
HydrateFallbackand initial loaders land before therouter.subscribecall happens in theRouterProviderlayout effectv7.14.0Compare Source
Patch Changes
UNSTABLE RSC FRAMEWORK MODE BREAKING CHANGE - Existing route module exports remain unchanged from stable v7 non-RSC mode, but new exports are added for RSC mode. If you want to use RSC features, you will need to update your route modules to export the new annotations. (#14901)
If you are using RSC framework mode currently, you will need to update your route modules to the new conventions. The following route module components have their own mutually exclusive server component counterparts:
ServerComponentdefaultServerErrorBoundaryErrorBoundaryServerLayoutLayoutServerHydrateFallbackHydrateFallbackIf you were previously exporting a
ServerComponent, yourErrorBoundary,Layout, andHydrateFallbackwere also server components. If you want to keep those as server components, you can rename them and prefix them withServer. If you were previously importing the implementations of those components from a client module, you can simply inline them.Example:
Before
After
rsc Link prefetch (#14902)
Remove recursion from turbo-stream v2 allowing for encoding / decoding of massive payloads. (#14838)
encodeViaTurboStream leaked memory via unremoved AbortSignal listener (#14900)
v7.13.2Compare Source
Patch Changes
Fix clientLoader.hydrate when an ancestor route is also hydrating a clientLoader (#14835)
Fix type error when passing Framework Mode route components using
Route.ComponentPropstocreateRoutesStub(#14892)Fix percent encoding in relative path navigation (#14786)
Add
future.unstable_passThroughRequestsflag (#14775)By default, React Router normalizes the
request.urlpassed to yourloader,action, andmiddlewarefunctions by removing React Router's internal implementation details (.datasuffixes,index+_routesquery params).Enabling this flag removes that normalization and passes the raw HTTP
requestinstance to your handlers. This provides a few benefits:new Request()calls on the critical path.datasuffix (useful for observability purposes)If you were previously relying on the normalization of
request.url, you can switch to use the new siblingunstable_urlparameter which contains aURLinstance representing the normalized location:Internal refactor to consolidate framework-agnostic/React-specific route type layers - no public API changes (#14765)
Sync protocol validation to rsc flows (#14882)
Add a new
unstable_url: URLparameter to route handler methods (loader,action,middleware, etc.) representing the normalized URL the application is navigating to or fetching, with React Router implementation details removed (.datasuffix,index/_routesquery params) (#14775)This is being added alongside the new
future.unstable_passthroughRequestsfuture flag so that users still have a way to access the normalized URL when that flag is enabled and non-normalizedrequest's are being passed to your handlers. When adopting this flag, you will only need to start leveraging this new parameter if you are relying on the normalization ofrequest.urlin your application code.If you don't have the flag enabled, then
unstable_urlwill matchrequest.url.v7.13.1Compare Source
Patch Changes
fix null reference exception in bad codepath leading to invalid route tree comparisons (#14780)
fix: clear timeout when turbo-stream encoding completes (#14810)
Improve error message when Origin header is invalid (#14743)
Fix matchPath optional params matching without a "/" separator. (#14689)
add RSC unstable_getRequest (#14758)
Fix
HydrateFallbackrendering during initial lazy route discovery with matching splat route (#14740)[UNSTABLE] Add support for
<Link unstable_mask>in Data Mode which allows users to navigate to a URL in the router but "mask" the URL displayed in the browser. This is useful for contextual routing usages such as displaying an image in a model on top of a gallery, but displaying a browser URL directly to the image that can be shared and loaded without the contextual gallery in the background. (#14716)Notes:
useLocation().unstable_maskso you can detect whether you are currently masked or not.history.stateduring SSR.backgroundLocationmanagement.RSC: Update failed origin checks to return a 400 status and appropriate UI instead of a generic 500 (#14755)
Preserve query parameters and hash on manifest version mismatch reload (#14813)
v7.13.0Compare Source
Minor Changes
crossOriginprop toLinkscomponent (#14687)Patch Changes
allowedActionOriginsglob check so**matches all domains (#14722)v7.12.0Compare Source
Minor Changes
react-router.config.tsconfigallowedActionOriginsfield. (#14708)Patch Changes
Fix
generatePathwhen used with suffixed params (i.e., "/books/:id.json") (#14269)Export
UNSAFE_createMemoryHistoryandUNSAFE_createHashHistoryalongsideUNSAFE_createBrowserHistoryfor consistency. These are not intended to be used for new apps but intended to help apps usiongunstable_HistoryRoutermigrate from v6->v7 so they can adopt the newer APIs. (#14663)Escape HTML in scroll restoration keys (#14705)
Validate redirect locations (#14706)
[UNSTABLE] Pass
<Scripts nonce>value through to the underlyingimportmapscripttag when usingfuture.unstable_subResourceIntegrity(#14675)[UNSTABLE] Add a new
future.unstable_trailingSlashAwareDataRequestsflag to provide consistent behavior ofrequest.pathnameinsidemiddleware,loader, andactionfunctions on document and data requests when a trailing slash is present in the browser URL. (#14644)Currently, your HTTP and
requestpathnames would be as follows for/a/b/cand/a/b/c//a/b/crequestpathname`/a/b/c/a/b/c✅/a/b/c.data/a/b/c✅/a/b/c/requestpathname`/a/b/c//a/b/c/✅/a/b/c.data/a/b/cWith this flag enabled, these pathnames will be made consistent though a new
_.dataformat for client-side.datarequests:/a/b/crequestpathname`/a/b/c/a/b/c✅/a/b/c.data/a/b/c✅/a/b/c/requestpathname`/a/b/c//a/b/c/✅/a/b/c/_.data⬅️/a/b/c/✅This a bug fix but we are putting it behind an opt-in flag because it has the potential to be a "breaking bug fix" if you are relying on the URL format for any other application or caching logic.
Enabling this flag also changes the format of client side
.datarequests from/_root.datato/_.datawhen navigating to/to align with the new format. This does not impact therequestpathname which is still/in all cases.Preserve
clientLoader.hydrate=truewhen using<HydratedRouter unstable_instrumentations>(#14674)v7.11.0Compare Source
Minor Changes
<HydratedRouter onError>/<RouterProvider onError>(#14546)Patch Changes
add support for throwing redirect Response's at RSC render time (#14596)
Support for throwing
data()and Response from server component render phase. Response body is not serialized as async work is not allowed as error encoding phase. If you wish to transmit data to the boundary, throwdata()instead. (#14632)Fix
unstable_useTransitionsprop on<Router>component to permit omission for backewards compatibility (#14646)routeRSCServerRequestreplacefetchServerwithserverResponse(#14597)[UNSTABLE] Add a new
unstable_defaultShouldRevalidateflag to various APIs to allow opt-ing out of standard revalidation behaviors. (#14542)If active routes include a
shouldRevalidatefunction, then your value will be passed asdefaultShouldRevalidatein those function so that the route always has the final revalidation determination.<Form method="post" unstable_defaultShouldRevalidate={false}>submit(data, { method: "post", unstable_defaultShouldRevalidate: false })<fetcher.Form method="post" unstable_defaultShouldRevalidate={false}>fetcher.submit(data, { method: "post", unstable_defaultShouldRevalidate: false })This is also available on non-submission APIs that may trigger revalidations due to changing search params:
<Link to="/" unstable_defaultShouldRevalidate={false}>navigate("/?foo=bar", { unstable_defaultShouldRevalidate: false })setSearchParams(params, { unstable_defaultShouldRevalidate: false })Allow redirects to be returned from client side middleware (#14598)
Handle
dataStrategyimplementations that return insufficient result sets by adding errors for routes without any available result (#14627)v7.10.1Compare Source
Patch Changes
useOptimisticstub we provide for React 18 users to use a stable setter function to avoid potentialuseEffectloops - specifically when using<Link viewTransition>(#14628)v7.10.0Compare Source
Minor Changes
Stabilize
fetcher.reset()(#14545)fetcher.unstable_reset()Stabilize the
dataStrategymatch.shouldRevalidateArgs/match.shouldCallHandler()APIs. (#14592)The
match.shouldLoadAPI is now marked deprecated in favor of these more powerful alternativesIf you're using this API in a custom
dataStrategytoday, you can swap to the new API at your convenience:match.shouldRevalidateArgsis the argument that will be passed to the routeshouldRevaliatefunctionCombined with the parameter accepted by
match.shouldCallHandler, you can define a custom revalidation behavior for yourdataStrategy:Patch Changes
Fix a Framework Mode bug where the
defaultShouldRevalidateparameter toshouldRevalidatewould not be correct afteractionreturned a 4xx/5xx response (truewhen it should have beenfalse) (#14592)shouldRevalidatefunction relied on that parameter, you may have seen unintended revalidationsFix
fetcher.submitfailing with plain objects containing atagNameproperty (#14534)[UNSTABLE] Add
unstable_patternto the parameters for client sideunstable_onError, refactor how it's called byRouterProviderto avoid potential strict mode issues (#14573)Add new
unstable_useTransitionsflag to routers to give users control over the usage ofReact.startTransitionandReact.useOptimistic. (#14524)<HydratedRouter unstable_transition>/<RouterProvider unstable_transition>React.startTransitionReact.startTransitiontrueif you run into this scenario to get the enhanceduseOptimisticbehavior (requires React 19)trueReact.startTransition(as they are without the flag)Link/Formnavigations will be wrapped inReact.startTransitionReact.useOptimistic(i.e.,useNavigation(),useFetchers(), etc.)falseReact.startTransitionorReact.useOptimisticon any navigations or state changes<BrowserRouter unstable_useTransitions>React.startTransitiontrueReact.startTransition(as they are without the flag)Link/Formnavigations will be wrapped inReact.startTransitionfalseReact.startTransitionon any navigations or state changesFix the promise returned from
useNavigatein Framework/Data Mode so that it properly tracks the duration ofpopstatenavigations (i.e.,navigate(-1)) (#14524)Fix internal type error in useRoute types that surfaces when skipLibCheck is disabled (#14577)
Preserve
statusTexton theErrorResponseinstance when throwingdata()from a route handler (#14555)Opti
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.