fix(deps): update dependency react-router to v7.15.1 [security] (v2)

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
react-router (source)	7.15.0 → 7.15.1

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

React Router vulnerable to XSS in unstable RSC redirect handling via javascript: redirect targets

CVE-2026-33245 / GHSA-8646-j5j9-6r62

More information

Details

When using React Router v7's unstable RSC APIs, there exists a potential client-side XSS issue in the RSC redirect handling if redirects are coming from untrusted sources

[!NOTE]
This only impacts your application if you are using the unstable RSC APIs in React Router.

Severity

• CVSS Score: 8.0 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

References

• https://github.com/remix-run/react-router/security/advisories/GHSA-8646-j5j9-6r62
• https://nvd.nist.gov/vuln/detail/CVE-2026-33245
• https://github.com/advisories/GHSA-8646-j5j9-6r62

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

React Router has stored XSS via unescaped Location header in prerendered redirect HTML

CVE-2026-33244 / GHSA-f22v-gfqf-p8f3

More information

Details

When using React Router v7 Framework Mode with Pre-rendering enabled, an improper neutralization of the HTTP Location header value can permit Cross-Site Scripting (XSS) in statically generated HTML files if the redirect location comes from an untrusted source.

[!NOTE]
This does not impact your React Router application if you are using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).

Severity

• CVSS Score: 5.4 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References

• https://github.com/remix-run/react-router/security/advisories/GHSA-f22v-gfqf-p8f3
• https://nvd.nist.gov/vuln/detail/CVE-2026-33244
• https://github.com/advisories/GHSA-f22v-gfqf-p8f3

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE

CVE-2026-42211 / GHSA-49rj-9fvp-4h2h

More information

Details

When using React Router v7 in Framework Mode, there exists a combination of steps that could potentially allow unauthorized RCE through external requests. This first requires the application code to have an existing prototype pollution vulnerability. This can be leveraged into a 2-step attack in which the second step can trigger unauthorized RCE on the remote server.

[!NOTE]
This does not impact your React Router application if you are using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).

Severity

• CVSS Score: 8.1 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References

• https://github.com/remix-run/react-router/security/advisories/GHSA-49rj-9fvp-4h2h
• https://nvd.nist.gov/vuln/detail/CVE-2026-42211
• https://github.com/advisories/GHSA-49rj-9fvp-4h2h

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

React Router's same-origin redirect with path starting // causes open redirect via protocol-relative URL reinterpretation

CVE-2026-40181 / GHSA-2j2x-hqr9-3h42

More information

Details

Certain URLs passed to the redirect function can trigger an open redirect to an external domain depending on the level of validation done by the application prior to returning the redirect.

[!NOTE]
This does not impact your React Router application if you are using Declarative Mode (<BrowserRouter>)

Severity

• CVSS Score: 6.6 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U

References

• https://github.com/remix-run/react-router/security/advisories/GHSA-2j2x-hqr9-3h42
• https://nvd.nist.gov/vuln/detail/CVE-2026-40181
• https://github.com/advisories/GHSA-2j2x-hqr9-3h42

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint

CVE-2026-42342 / GHSA-8x6r-g9mw-2r78

More information

Details

There exists a potential DOS attack vector in React Router Framework Mode applications (as well as Remix v2.10.0 - 2.17.4). Certain requests can be crafted to consume disproportionate resources on the server, resulting in response time degredation and/or service unavailability for end users.

[!NOTE]
This does not impact your React Router application if you are using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/remix-run/react-router/security/advisories/GHSA-8x6r-g9mw-2r78
• https://nvd.nist.gov/vuln/detail/CVE-2026-42342
• https://github.com/advisories/GHSA-8x6r-g9mw-2r78

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

React Router vulnerable to Denial of Service via reflected user input in single-fetch

CVE-2026-34077 / GHSA-rxv8-25v2-qmq8

More information

Details

A DoS vulnerability exists in the React Router v7 Framework Mode, as well as Remix v2.9.0+ with Single Fetch enabled. In some scenarios the underlying serialization algorithm can become a bottleneck when encoding specific types of data into server responses. Please upgrade to React Router v7.14.0 or later.

[!NOTE]
This does not impact your React Router application if you are using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).

Severity

• CVSS Score: 7.5 / 10 (High)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/remix-run/react-router/security/advisories/GHSA-rxv8-25v2-qmq8
• https://nvd.nist.gov/vuln/detail/CVE-2026-34077
• https://github.com/remix-run/react-router/commit/59811921d3c7d599077b8cadccdcd65a233165e0
• https://github.com/jacob-ebey/turbo-stream/blob/v2.4.1/src/flatten.ts#L175-L177
• https://github.com/jacob-ebey/turbo-stream/blob/v2.4.1/src/unflatten.ts#L185-L189
• https://github.com/advisories/GHSA-rxv8-25v2-qmq8

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

React Router: Potential CSRF via PUT/PATCH/DELETE document requests

CVE-2026-53663 / GHSA-84g9-w2xq-vcv6

More information

Details

Certain CSRF checks in React Router v7 Framework Mode were insufficient and run on POST requests, but were bypassed on PUT/PATCH/DELETE requests. This is a low severity vulnerability because modern browser protections (CORS preflight, SameSite cookies) already block the cross-origin attack vectors that this missing CSRF check would otherwise gate.

[!NOTE]
This does not impact your React Router application if you are using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).

Severity

• CVSS Score: 3.1 / 10 (Low)
• Vector String: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N

References

• https://github.com/remix-run/react-router/security/advisories/GHSA-84g9-w2xq-vcv6
• https://github.com/advisories/GHSA-84g9-w2xq-vcv6

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

remix-run/react-router (react-router)

v7.15.1

Compare Source

Patch Changes

• Update router to operate on fetcher Maps in an immutable manner to avoid delayed React renders from potentially reading an updated but not yet committed Map. This could result in brief flickers in some fetcher-driven optimistic UI scenarios. (#​15028)
• Fix serverLoader() returning stale SSR data when a client navigation aborts pending hydration before the hydration clientLoader resolves (#​15022)
• Fix RouterProvider onError callback not being called for synchronous initial loader errors in SPA mode (#​15039) (#​14942)
• Memoize useFetchers to return a stable identity and only change if fetchers changed (#​15028)
• Internal refactor to consolidate mutation request detection through shared utility (#​15033)

Unstable Changes

⚠️ Unstable features are not recommended for production use

• Add a new unstable_useRouterState() hook that consolidates access to active and pending router states (RFC: #​12358) (#​15017)

  • Data/Framework/RSC only — throws when used without a data router

  • This should allow you to consolidate usages of the following hooks which will likely be deprecated and removed in a future major version

    • useLocation
    • useSearchParams
    • useParams
    • useMatches
    • useNavigationType
    • useNavigation

    let { active, pending } = unstable_useRouterState();
    
    // Active is always populated with the current location
    active.location; // replaces `useLocation()`
    active.searchParams; // replaces `useSearchParams()[0]`
    active.params; // replaces `useParams()`
    active.matches; // replaces `useMatches()`
    active.type; // replaces `useNavigationType()`
    
    // Pending is only populated during a navigation
    pending.location; // replaces `useNavigation().location`
    pending.searchParams; // equivalent to `new URLSearchParams(useNavigation().search)`
    pending.params; // Not directly accessible today
    pending.matches; // Not directly accessible today
    pending.type; // Not directly accessible today
    pending.state; // replaces `useNavigation().state`
    pending.formMethod; // replaces useNavigation().formMethod
    pending.formAction; // replaces useNavigation().formAction
    pending.formEncType; // replaces useNavigation().formEncType
    pending.formData; // replaces useNavigation().formData
    pending.json; // replaces useNavigation().json
    pending.text; // replaces useNavigation().text

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[netlify]

❌ Deploy Preview for modernjs-v2 failed. Why did it fail? →

Name	Link
🔨 Latest commit	49e18ea
🔍 Latest deploy log	https://app.netlify.com/projects/modernjs-v2/deploys/6a323289a33a5c000862ffda

[changeset-bot]

⚠️ No Changeset found

Latest commit: 49e18ea

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR