XSS Vulnerability in React Router and @remix-run/react Products from Remix-run
CVE-2025-59057

7.6HIGH

Key Information:

Vendor: Remix-run
Status: React-router
Vendor: CVE Published:; 10 January 2026

What is CVE-2025-59057?

A Cross-Site Scripting (XSS) vulnerability was identified in the meta() and APIs of the React Router and @remix-run/react frameworks. This flaw, affecting specific versions, can allow attackers to execute arbitrary JavaScript during Server-Side Rendering (SSR) if untrusted content is processed for generating script:ld+json tags. Applications utilizing Declarative Mode or Data Mode are not impacted. The issue has been resolved in the latest versions, providing essential updates for developers to enhance security and maintain user safety.

Affected Version(s)

react-router @remix-run/react >= 1.15.0, < 2.17.1 < @remix-run/react 1.15.0, 2.17.1

react-router react-router >= 7.0.0, < 7.9.0 < react-router 7.0.0, 7.9.0

References

https://github.com/remix-run/react-router/security/adviso...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.6

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Changed

Timeline

Vulnerability published
Jan 10, 2026
Vulnerability Reserved
Sep 8, 2025

JSON