CVE-2026-33244 Overview
CVE-2026-33244 is a Cross-Site Scripting (XSS) vulnerability [CWE-79] in React Router, a routing library for React applications. The flaw affects versions 7.5.1 through 7.13.1 when using Framework Mode with pre-rendering enabled. The library fails to properly neutralize the HTTP Location header value, allowing attacker-controlled redirect locations to be embedded unsanitized in statically generated HTML files. Applications using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) are not affected. The maintainers patched the issue in version 7.13.2.
Critical Impact
Untrusted redirect locations injected into pre-rendered HTML can execute arbitrary JavaScript in user browsers, enabling session theft, credential harvesting, and content manipulation.
Affected Products
- Shopify React Router versions 7.5.1 through 7.13.1
- Applications using React Router Framework Mode with pre-rendering enabled
- Statically generated HTML output from affected React Router builds
Discovery Timeline
- 2026-06-02 - CVE-2026-33244 published to NVD
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-33244
Vulnerability Analysis
The vulnerability arises in React Router's Framework Mode pre-rendering pipeline. When a route handler issues a redirect, React Router writes the Location header value into the statically generated HTML output. The pre-rendering process does not HTML-encode or sanitize this value before serialization. If the redirect target is derived from untrusted input such as user-supplied query parameters, request bodies, or upstream service responses, an attacker can inject JavaScript payloads that execute when the static page loads in a browser.
The vulnerability requires user interaction and low-privileged access, and its scope crosses the trust boundary because injected script executes in the victim's browser context under the application origin. Successful exploitation allows attackers to read session cookies accessible to scripts, exfiltrate Document Object Model (DOM) data, and perform actions on behalf of authenticated users.
Root Cause
The root cause is improper neutralization of input during web page generation [CWE-79]. The pre-rendering logic treats the Location header value as trusted markup rather than untrusted data. Output encoding is missing at the point where the redirect target is written into the generated HTML document.
Attack Vector
An attacker crafts a request that influences a redirect destination, for example through a query parameter or referer that feeds into a server-side redirect. During the static build or on-demand pre-render, React Router serializes the malicious Location value verbatim into the generated HTML. When a victim loads the resulting page, the embedded script executes in the application origin. Refer to the GitHub Security Advisory GHSA-f22v-gfqf-p8f3 for the maintainer's technical description.
Detection Methods for CVE-2026-33244
Indicators of Compromise
- Pre-rendered HTML files containing <script> tags, javascript: URIs, or event handler attributes inside redirect metadata or <meta http-equiv="refresh"> content attributes.
- Build artifacts where the Location header value contains characters such as <, >, ", or ' without entity encoding.
- Web server access logs showing requests with redirect-influencing parameters containing HTML or JavaScript syntax.
Detection Strategies
- Inventory all React Router deployments and identify versions between 7.5.1 and 7.13.1 using Framework Mode with pre-rendering enabled.
- Scan generated static HTML output for unencoded characters within redirect-related markup using regular expressions or HTML parsers.
- Review server-side redirect handlers to identify code paths where untrusted input flows into the Location response header.
Monitoring Recommendations
- Enable Content Security Policy (CSP) reporting endpoints to capture inline script violations on pre-rendered pages.
- Monitor web application firewall (WAF) logs for redirect parameter values containing script syntax or HTML metacharacters.
- Track Software Bill of Materials (SBOM) entries for react-router package versions across development and production builds.
How to Mitigate CVE-2026-33244
Immediate Actions Required
- Upgrade React Router to version 7.13.2 or later across all affected projects and rebuild static assets.
- Audit server-side route handlers that issue redirects to confirm whether untrusted input reaches the Location header.
- Invalidate cached pre-rendered HTML produced by vulnerable versions and redeploy from a patched build.
Patch Information
The maintainers released a fix in React Router 7.13.2 that properly encodes the Location header value before embedding it in pre-rendered HTML. Details are published in the React Router Security Advisory GHSA-f22v-gfqf-p8f3.
Workarounds
- Disable pre-rendering in Framework Mode until the upgrade to 7.13.2 is completed.
- Switch affected routes to Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>), which are not impacted.
- Validate and allowlist redirect destinations server-side, rejecting any Location value not matching expected URL patterns.
- Apply a strict Content Security Policy that blocks inline scripts and restricts script sources to trusted origins.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
