GHSA-3cgp-3xvw-98x8
XSS vulnerability vulnerability in react-router (npm)

XSS vulnerability No known exploit

What is GHSA-3cgp-3xvw-98x8 About?

This XSS vulnerability in React Router's `meta()`/`<Meta>` APIs allows arbitrary JavaScript execution during server-side rendering (SSR) if untrusted content is used to generate `script:ld+json` tags. This could lead to client-side attacks, and exploitation appears feasible given the right conditions, particularly when user input is not properly sanitized. It specifically affects applications using React Router's Framework Mode.

Affected Software

  • react-router
    • >=7.0.0, <7.9.0
  • @remix-run/react
    • >=1.15.0, <2.17.1

Technical Details

The vulnerability arises in React Router's meta()/<Meta> APIs within Framework Mode when these APIs are used to generate script:ld+json tags for server-side rendering. If an application incorporates untrusted content directly into the data used to construct these tags without proper sanitization, an attacker can inject malicious JavaScript. During the SSR process, this injected script would be rendered into the client-side HTML, leading to arbitrary JavaScript execution in the user's browser as the page loads. This vector allows client-side code execution.

What is the Impact of GHSA-3cgp-3xvw-98x8?

Successful exploitation may allow attackers to execute arbitrary scripts in the user's browser, steal session cookies, deface web pages, or redirect users to malicious sites, potentially leading to unauthorized access or data breaches.

What is the Exploitability of GHSA-3cgp-3xvw-98x8?

Exploitation of this XSS vulnerability is likely of medium complexity, primarily requiring the attacker to supply untrusted input that is then used verbatim in the generation of script:ld+json tags. No specific authentication is required at the point of injection if the application processes unauthenticated inputs, but if the affected functionality is behind an authenticated boundary, then authentication would be needed. Privilege requirements are low, as the attack leverages flawed input handling rather than elevated permissions. Access can be remote, as the untrusted content would typically be submitted via standard web requests. The primary constraint is that the application must be running in React Router's Framework Mode and use the meta()/<Meta> APIs with insufficiently sanitized user-controlled data. Risk factors increase when applications frequently generate dynamic content from user input in SSR scenarios without robust output encoding.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for GHSA-3cgp-3xvw-98x8?

Available Upgrade Options

  • react-router
    • >=7.0.0, <7.9.0 → Upgrade to 7.9.0
  • @remix-run/react
    • >=1.15.0, <2.17.1 → Upgrade to 2.17.1

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to GHSA-3cgp-3xvw-98x8?

Similar Vulnerabilities: CVE-2023-46231 , CVE-2023-45133 , CVE-2023-38035 , CVE-2023-34062 , CVE-2023-28103

All Rights reserved 2025
Privacy Policy