Primary

Context

React Router Prototype Pollution Vulnerability Leading to Remote Code Execution

Vulnerability

Patched

A vulnerability in React Router versions 7.0.0 through 7.14.1, when used in Framework Mode, could allow unauthorized remote code execution (RCE) through external requests. This issue arises only if the application code contains a prototype pollution vulnerability, which can be exploited in a two-step attack, with the second step triggering unauthorized RCE on the remote server. Applications using Declarative Mode or Data Mode are not affected.

Impact

Exploitation of this vulnerability could lead to unauthorized remote code execution on the server where the application is running.

Remediation

Users can upgrade to React Router version 7.14.2 or later to address this vulnerability.

Added: Jun 2, 2026, 8:51 PM

Updated: Jun 2, 2026, 8:51 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

6.8

remediation

0.0

relevance

9.8

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

7.5

exploitability

6.8

remediation

0.0

relevance

9.8

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

React Router Prototype Pollution Vulnerability Leading to Remote Code Execution

Vulnerability

Impact

Remediation

Affected Products

React Router

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating