CVE-2025-59057

CVSS v3.1

7.6

High

Vector

AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N

Name of the Vulnerable Software and Affected Versions react-router versions 7.0.0 through 7.8.2 @remix-run/react versions 1.15.0 through 2.17.0

Description A cross-site scripting (XSS) issue exists in React Router's meta()/ APIs in Framework Mode when generating script:ld+json tags. This could allow arbitrary JavaScript execution during server-side rendering (SSR) if untrusted content is used to generate the tag. The issue does not affect applications using Declarative Mode () or Data Mode (createBrowserRouter/).

Recommendations Update to react-router version 7.9.0. Update to @remix-run/react version 2.17.1.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

BDU:2026-01281

CVE-2025-59057

GHSA-3CGP-3XVW-98X8

RHSA-2026:3958

Affected Products

@Remix-Run/React

React Router

CVE-2025-59057

Weakness Enumeration

Related Identifiers

Affected Products

References · 13