VulnerableCode Package Details - pkg:npm/react-router@7.12.0

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-1khb-1639-afhf	React Router SSR XSS in ScrollRestoration A XSS vulnerability exists in in React Router's `<ScrollRestoration>` API in [Framework Mode](https://reactrouter.com/start/modes#framework) when using the `getKey`/`storageKey` props during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys. > [!NOTE] > This does not impact applications if developers have [disabled server-side rendering](https://reactrouter.com/how-to/spa) in Framework Mode, or if they are using [Declarative Mode](https://reactrouter.com/start/modes#declarative) (`<BrowserRouter>`) or [Data Mode](https://reactrouter.com/start/modes#data) (`createBrowserRouter`/`<RouterProvider>`).	CVE-2026-21884 GHSA-8v8x-cx79-35w7
VCID-hwnh-8gqs-8fgj	React Router has CSRF issue in Action/Server Action Request Processing React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route `action` handlers in [Framework Mode](https://reactrouter.com/start/modes#framework), or when using React Server Actions in the new unstable RSC modes. > [!NOTE] > This does not impact applications that use [Declarative Mode](https://reactrouter.com/start/modes#declarative) (`<BrowserRouter>`) or [Data Mode](https://reactrouter.com/start/modes#data) (`createBrowserRouter`/`<RouterProvider>`).	CVE-2026-22030 GHSA-h5cw-625j-3rxh
VCID-y2ce-z8tu-y7e5	React Router vulnerable to XSS via Open Redirects React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in [Framework Mode](https://reactrouter.com/start/modes#framework), [Data Mode](https://reactrouter.com/start/modes#data), or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if developers are creating redirect paths from untrusted content or via an open redirect. > [!NOTE] > This does not impact applications that use [Declarative Mode](https://reactrouter.com/start/modes#declarative) (`<BrowserRouter>`).	CVE-2026-22029 GHSA-2w69-qvjg-hvjx

Vulnerability

Summary

Aliases

VCID-1khb-1639-afhf

React Router SSR XSS in ScrollRestoration A XSS vulnerability exists in in React Router's `<ScrollRestoration>` API in [Framework Mode](https://reactrouter.com/start/modes#framework) when using the `getKey`/`storageKey` props during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys. > [!NOTE] > This does not impact applications if developers have [disabled server-side rendering](https://reactrouter.com/how-to/spa) in Framework Mode, or if they are using [Declarative Mode](https://reactrouter.com/start/modes#declarative) (`<BrowserRouter>`) or [Data Mode](https://reactrouter.com/start/modes#data) (`createBrowserRouter`/`<RouterProvider>`).

CVE-2026-21884
GHSA-8v8x-cx79-35w7

VCID-hwnh-8gqs-8fgj

React Router has CSRF issue in Action/Server Action Request Processing React Router (or Remix v2) is vulnerable to CSRF attacks on document POST requests to UI routes when using server-side route `action` handlers in [Framework Mode](https://reactrouter.com/start/modes#framework), or when using React Server Actions in the new unstable RSC modes. > [!NOTE] > This does not impact applications that use [Declarative Mode](https://reactrouter.com/start/modes#declarative) (`<BrowserRouter>`) or [Data Mode](https://reactrouter.com/start/modes#data) (`createBrowserRouter`/`<RouterProvider>`).

CVE-2026-22030
GHSA-h5cw-625j-3rxh

VCID-y2ce-z8tu-y7e5

React Router vulnerable to XSS via Open Redirects React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in [Framework Mode](https://reactrouter.com/start/modes#framework), [Data Mode](https://reactrouter.com/start/modes#data), or the unstable RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if developers are creating redirect paths from untrusted content or via an open redirect. > [!NOTE] > This does not impact applications that use [Declarative Mode](https://reactrouter.com/start/modes#declarative) (`<BrowserRouter>`).

CVE-2026-22029
GHSA-2w69-qvjg-hvjx

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-29T22:49:23.679210+00:00	GitLab Importer	Fixing	VCID-hwnh-8gqs-8fgj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/react-router/CVE-2026-22030.yml	38.5.0
2026-04-29T22:49:05.901320+00:00	GitLab Importer	Fixing	VCID-y2ce-z8tu-y7e5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/react-router/CVE-2026-22029.yml	38.5.0
2026-04-29T22:49:00.042792+00:00	GitLab Importer	Fixing	VCID-1khb-1639-afhf	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/react-router/CVE-2026-21884.yml	38.5.0
2026-04-17T00:06:48.048209+00:00	GitLab Importer	Fixing	VCID-hwnh-8gqs-8fgj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/react-router/CVE-2026-22030.yml	38.4.0
2026-04-17T00:06:31.002729+00:00	GitLab Importer	Fixing	VCID-y2ce-z8tu-y7e5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/react-router/CVE-2026-22029.yml	38.4.0
2026-04-17T00:06:25.256148+00:00	GitLab Importer	Fixing	VCID-1khb-1639-afhf	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/react-router/CVE-2026-21884.yml	38.4.0
2026-04-12T01:30:11.676344+00:00	GitLab Importer	Fixing	VCID-hwnh-8gqs-8fgj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/react-router/CVE-2026-22030.yml	38.3.0
2026-04-12T01:29:51.784660+00:00	GitLab Importer	Fixing	VCID-y2ce-z8tu-y7e5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/react-router/CVE-2026-22029.yml	38.3.0
2026-04-12T01:29:45.554459+00:00	GitLab Importer	Fixing	VCID-1khb-1639-afhf	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/react-router/CVE-2026-21884.yml	38.3.0
2026-04-03T01:38:58.789768+00:00	GitLab Importer	Fixing	VCID-hwnh-8gqs-8fgj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/react-router/CVE-2026-22030.yml	38.1.0
2026-04-03T01:38:37.777350+00:00	GitLab Importer	Fixing	VCID-y2ce-z8tu-y7e5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/react-router/CVE-2026-22029.yml	38.1.0
2026-04-03T01:38:30.392696+00:00	GitLab Importer	Fixing	VCID-1khb-1639-afhf	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/react-router/CVE-2026-21884.yml	38.1.0
2026-04-01T16:07:31.399637+00:00	GHSA Importer	Fixing	VCID-hwnh-8gqs-8fgj	https://github.com/advisories/GHSA-h5cw-625j-3rxh	38.0.0
2026-04-01T16:07:31.342009+00:00	GHSA Importer	Fixing	VCID-y2ce-z8tu-y7e5	https://github.com/advisories/GHSA-2w69-qvjg-hvjx	38.0.0
2026-04-01T16:07:31.289325+00:00	GHSA Importer	Fixing	VCID-1khb-1639-afhf	https://github.com/advisories/GHSA-8v8x-cx79-35w7	38.0.0
2026-04-01T12:53:37.592307+00:00	GitLab Importer	Fixing	VCID-hwnh-8gqs-8fgj	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/react-router/CVE-2026-22030.yml	38.0.0
2026-04-01T12:53:37.379988+00:00	GitLab Importer	Fixing	VCID-y2ce-z8tu-y7e5	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/react-router/CVE-2026-22029.yml	38.0.0
2026-04-01T12:53:37.300789+00:00	GitLab Importer	Fixing	VCID-1khb-1639-afhf	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/react-router/CVE-2026-21884.yml	38.0.0
2026-04-01T12:52:26.028298+00:00	GithubOSV Importer	Fixing	VCID-y2ce-z8tu-y7e5	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-2w69-qvjg-hvjx/GHSA-2w69-qvjg-hvjx.json	38.0.0
2026-04-01T12:52:19.296125+00:00	GithubOSV Importer	Fixing	VCID-hwnh-8gqs-8fgj	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-h5cw-625j-3rxh/GHSA-h5cw-625j-3rxh.json	38.0.0
2026-04-01T12:52:16.153505+00:00	GithubOSV Importer	Fixing	VCID-1khb-1639-afhf	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-8v8x-cx79-35w7/GHSA-8v8x-cx79-35w7.json	38.0.0