Oceandust

**Name of the Vulnerable Software and Affected Versions** React Router versions 7.7.0 through 7.13.1 React Router versions prior to 7.14.0 Remix versions 2.9.0 and later **Description** Two distinct issues were identified. First, a client-side Cross-Site Scripting (XSS) flaw exists in the handling of redirects within the unstable React Server Components (RSC) APIs when redirects originate from untrusted sources. Second, a Denial of Service (DoS) condition can occur in Framework Mode and Remix with Single Fetch enabled, where the serialization algorithm becomes a bottleneck when encoding specific data types into server responses. This does not affect applications using Declarative Mode (`<BrowserRouter>`) or Data Mode (`createBrowserRouter`/`<RouterProvider>`). **Recommendations** Update React Router versions 7.7.0 through 7.13.1 to version 7.13.2. Update React Router versions prior to 7.14.0 to version 7.14.0 or later. Update Remix versions 2.9.0 and later to a version that resolves the serialization bottleneck.

**Name of the Vulnerable Software and Affected Versions** React Router versions 7.0.0 through 7.11.0 @remix-run/router versions prior to 1.23.2 **Description** React Router, a router for React, is susceptible to open redirect issues. Specifically, Single Page Applications (SPAs) using React Router (and Remix v1/v2) in Framework Mode, Data Mode, or the unstable RSC modes may experience unsafe URLs leading to unintended javascript execution on the client when handling redirects originating from loaders or actions. This is only a concern when redirect paths are created from untrusted content or via an open redirect. The issue does not affect applications using Declarative Mode (<BrowserRouter>). **Recommendations** React Router versions 7.0.0 through 7.11.0: Update to version 7.12.0 or later. @remix-run/router versions prior to 1.23.2: Update to version 1.23.2 or later.

**Name of the Vulnerable Software and Affected Versions** react-router versions 7.0.0 through 7.11.0 @remix-run/server-runtime versions prior to 2.17.3 **Description** React Router, used as a router for React applications, is susceptible to Cross-Site Request Forgery (CSRF) attacks. This affects document POST requests to UI routes when server-side route action handlers are used in Framework Mode, or when utilizing React Server Actions in unstable Rendering Server Components (RSC) modes. The issue does not impact applications using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>). The issue occurs when processing requests to UI routes with server-side action handlers. **Recommendations** Update @remix-run/server-runtime to version 2.17.3 or later. Update react-router to version 7.12.0 or later.