CVE-2026-34077 Overview
CVE-2026-34077 is a client-side Cross-Site Scripting (XSS) vulnerability in React Router's unstable React Server Components (RSC) redirect handling. The flaw affects versions 7.7.0 through 7.13.1 when applications use the unstable RSC APIs and process redirects originating from untrusted sources. Applications that do not use the unstable RSC APIs are not affected. The maintainers patched the issue in version 7.13.2. The vulnerability is tracked under CWE-770 and was disclosed via the GitHub Security Advisory GHSA-rxv8-25v2-qmq8.
Critical Impact
Attackers can deliver malicious redirect payloads that execute script in the victim's browser context, enabling session theft and client-side compromise of React Router RSC applications.
Affected Products
- React Router versions 7.7.0 through 7.13.1
- Applications using React Router unstable React Server Components (RSC) APIs
- Fixed in React Router 7.13.2
Discovery Timeline
- 2026-06-02 - CVE-2026-34077 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-34077
Vulnerability Analysis
React Router is a widely used routing library for React applications. The unstable RSC APIs introduced in the 7.x series support server-driven navigation, including server-issued redirects consumed by the client runtime. The vulnerability arises when the RSC redirect handler accepts a redirect target from an untrusted source and processes it without adequate validation of the destination. An attacker who controls or influences the redirect input can supply a payload that the client treats as an executable navigation target, resulting in script execution in the user's browser. The impact is limited to applications that have opted into the unstable RSC APIs; standard React Router routing flows are unaffected.
Root Cause
The root cause is insufficient validation and sanitization of redirect URLs returned through the RSC stream. The client-side redirect handler in versions 7.7.0 through 7.13.1 does not enforce a strict allowlist of safe URL schemes before performing navigation. As a result, attacker-controlled values such as javascript: URIs reaching the redirect path can lead to script execution. This pattern aligns with CWE-770, where input that should be constrained is not adequately limited before being acted upon.
Attack Vector
Exploitation is network-based and requires no authentication or user interaction beyond normal application usage. An attacker influences a redirect response handled by the RSC client, for example by abusing an open redirect endpoint, a server route that echoes user input into a redirect, or any upstream service that returns redirect targets to the React Router RSC runtime. When the client processes the malicious redirect, the script payload executes in the origin of the vulnerable application. Refer to the GitHub Security Advisory for additional technical context.
Detection Methods for CVE-2026-34077
Indicators of Compromise
- Outbound or in-app redirect responses containing non-HTTP URL schemes such as javascript:, data:, or vbscript: in RSC payloads.
- Browser console errors or Content Security Policy (CSP) violations originating from unexpected inline script execution following navigation events.
- Server logs showing untrusted user input flowing into routes that produce RSC redirect responses.
Detection Strategies
- Inventory all applications using React Router and identify those on versions 7.7.0 through 7.13.1 that import the unstable RSC APIs.
- Perform static analysis on server route handlers to find redirects whose target is derived from query strings, headers, or third-party responses without scheme validation.
- Add automated tests that submit javascript: and other dangerous URL schemes to redirect-producing endpoints and verify they are rejected.
Monitoring Recommendations
- Enable a strict Content Security Policy that disallows inline script execution to limit the impact of any successful XSS payload.
- Monitor web application firewall (WAF) and proxy logs for redirect responses containing non-standard URL schemes.
- Capture browser-side telemetry for CSP violations and unexpected navigations to surface attempted exploitation.
How to Mitigate CVE-2026-34077
Immediate Actions Required
- Upgrade React Router to version 7.13.2 or later in all applications that use the unstable RSC APIs.
- Audit redirect-producing routes and ensure redirect targets come only from trusted, validated sources.
- Reject any redirect destination that does not use the http: or https: schemes, or restrict to same-origin relative paths.
Patch Information
The React Router maintainers fixed CVE-2026-34077 in version 7.13.2. Upgrade the react-router dependency to 7.13.2 or later. Full remediation details are available in the GHSA-rxv8-25v2-qmq8 advisory.
Workarounds
- Stop using the unstable RSC APIs until the upgrade to 7.13.2 is complete.
- Validate redirect URLs server-side with a strict allowlist of schemes and hosts before returning them to the client.
- Deploy a strong Content Security Policy that blocks inline scripts and restricts navigation sources as a defense-in-depth control.
# Upgrade React Router to the patched version
npm install react-router@7.13.2
# or
yarn add react-router@7.13.2
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
