Sm41Ldrag0N

**Name of the Vulnerable Software and Affected Versions** React Router versions 7.0.0 through 7.14.1 **Description** When using Framework Mode, a combination of steps could allow unauthorized remote code execution (RCE) through external requests. This occurs because the vendored turbo-stream v2 can be abused to allow arbitrary constructor invocation through unsafe deserialization. The attack requires the application code to have an existing prototype pollution vulnerability, which is then leveraged in a two-step process to trigger the RCE on the remote server. This issue does not impact applications using Declarative Mode (`<BrowserRouter>`) or Data Mode (`createBrowserRouter`/`<RouterProvider>`). **Recommendations** Update to version 7.14.2.