React Router and @remix-run/server-runtime Uncontrolled Resource Consumption Vulnerability in Manifest Endpoint

A denial-of-service vulnerability has been identified in React Router versions 7.0.0 through 7.14.x and in @remix-run/server-runtime versions 2.10.0 through 2.17.4. This issue arises in React Router Framework Mode applications and Remix applications, where certain crafted requests can lead to excessive server resource consumption. The problem is caused by unbounded path expansion in the __manifest endpoint, which degrades response times and can cause service unavailability for users. Notably, this vulnerability does not affect applications using React Router's Declarative Mode ('<BrowserRouter>') or Data Mode ('createBrowserRouter'/'<RouterProvider>').

Impact

Exploitation of this vulnerability can cause significant degradation of response times and availability of the service, leading to potential downtime or reduced performance for end users.

Remediation

Users can upgrade to React Router version 7.15.0 or @remix-run/server-runtime version 2.17.5 to address this vulnerability.