Resource Exhaustion Vulnerability in React Router and Remix Server Runtime
CVE-2026-42342

7.5HIGH

Key Information:

Vendor: Remix-run
Status: React-router; @remix-run/server-runtime
Vendor: CVE Published:; 2 June 2026

What is CVE-2026-42342?

A resource exhaustion vulnerability exists in React Router and Remix Server Runtime, which can be exploited through specially crafted requests. This vulnerability allows for unbounded path expansion in the __manifest endpoint, leading to excessive server resource consumption. As a result, applications experience significant response time degradation or may become completely unavailable to users. This issue affects React Router Framework Mode applications and Remix applications, but does not impact those using Declarative Mode or Data Mode. Users are advised to update to the patched versions of React Router (7.15.0) and @remix-run/server-runtime (2.17.5) to mitigate the risks associated with this vulnerability.

Affected Version(s)

@remix-run/server-runtime >= 2.10.0, < 2.17.5

react-router >= 7.0.0, < 7.15.0

References

https://github.com/remix-run/react-router/security/adviso...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 2, 2026
Vulnerability Reserved
Apr 26, 2026

CVE-2026-42342 Data

JSON

Remix-run

What is CVE-2026-42342?

Affected Version(s)

References

CVSS V3.1

Timeline