CVE-2026-33245 Overview
CVE-2026-33245 is a client-side Cross-Site Scripting (XSS) vulnerability in React Router, a routing library for React applications. The flaw affects versions 7.7.0 through 7.13.1 when applications use the unstable React Server Components (RSC) APIs. The vulnerability resides in the RSC redirect handling logic, which can process untrusted redirect targets without proper sanitization. Applications that do not use the unstable RSC APIs are not impacted. The maintainers patched the issue in version 7.13.2. The vulnerability is classified under [CWE-79], Improper Neutralization of Input During Web Page Generation.
Critical Impact
Attackers can execute arbitrary JavaScript in a victim's browser by supplying crafted redirect responses, enabling session theft, account takeover, and client-side data exfiltration.
Affected Products
- React Router versions 7.7.0 through 7.13.1
- React applications using the unstable React Server Components (RSC) APIs
- Server-side rendered React applications relying on RSC redirect flows
Discovery Timeline
- 2026-06-02 - CVE-2026-33245 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-33245
Vulnerability Analysis
The vulnerability exists in React Router's unstable RSC redirect handling. When the framework processes a redirect originating from an RSC response, the redirect destination is consumed by client-side navigation logic without sufficient validation of the target value. If the redirect source is untrusted, an attacker can inject a JavaScript URI or other executable payload that the router subsequently honors during navigation. The browser then evaluates the attacker-controlled script in the origin of the vulnerable application.
Exploitation requires user interaction and a viable injection point for the malicious redirect, such as an attacker-controlled upstream service or a server-side handler that reflects unvalidated input into an RSC redirect. Successful exploitation yields execution in the security context of the targeted application, allowing the attacker to read cookies accessible to JavaScript, manipulate the DOM, or pivot to authenticated API calls.
Root Cause
The root cause is missing or insufficient validation of redirect target URLs returned through the RSC pipeline. The client-side router treats the redirect value as a trusted navigation directive, permitting non-HTTP schemes such as javascript: to be passed to navigation primitives. This is a classic output-neutralization failure mapped to [CWE-79].
Attack Vector
The attack is network-based and requires user interaction. An attacker crafts or influences an RSC response that contains a malicious redirect target. When a user triggers the affected route in a vulnerable application, the router consumes the redirect and executes the attacker-supplied script in the browser. Refer to the GitHub Security Advisory GHSA-8646-j5j9-6r62 for advisory-level technical details.
// No verified exploit code is publicly available for CVE-2026-33245.
// See the GitHub Security Advisory referenced above for technical details.
Detection Methods for CVE-2026-33245
Indicators of Compromise
- Outbound HTTP responses containing RSC payloads with redirect targets using non-HTTP schemes such as javascript:, data:, or vbscript:.
- Browser console errors or Content Security Policy (CSP) violations referencing inline script execution on routes that use RSC navigation.
- Unexpected client-side requests to attacker-controlled domains following navigation events in RSC-enabled routes.
Detection Strategies
- Audit application dependencies for react-router versions in the range 7.7.0 through 7.13.1 using software composition analysis tooling.
- Inspect server logs for RSC responses where the redirect Location value originates from user-controlled input or third-party data sources.
- Deploy a strict Content Security Policy and monitor report-uri or report-to endpoints for violations indicating injected script execution.
Monitoring Recommendations
- Enable runtime monitoring for anomalous JavaScript execution patterns on pages that invoke RSC navigation.
- Correlate web application firewall (WAF) telemetry with upstream services that feed redirect destinations into RSC handlers.
- Track dependency changes in CI/CD pipelines and alert on installs of vulnerable React Router versions.
How to Mitigate CVE-2026-33245
Immediate Actions Required
- Upgrade react-router to version 7.13.2 or later across all applications using the unstable RSC APIs.
- Identify and inventory every code path that constructs RSC redirects from external or user-supplied data.
- Apply server-side validation that restricts redirect destinations to an allowlist of internal paths or trusted origins.
Patch Information
The maintainers fixed CVE-2026-33245 in React Router version 7.13.2. The patch hardens RSC redirect handling so that untrusted redirect targets cannot trigger script execution during client-side navigation. Patch details and the official advisory are available in the GitHub Security Advisory GHSA-8646-j5j9-6r62.
Workarounds
- Disable the unstable React Server Components APIs in React Router until the upgrade to 7.13.2 is complete.
- Validate all redirect destinations server-side and reject any value whose scheme is not http or https.
- Enforce a strict Content Security Policy that disallows javascript: URIs and inline script execution to reduce exploitability.
# Upgrade React Router to the patched version
npm install react-router@7.13.2
# or
yarn add react-router@7.13.2
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
