{"uuid": "f593c105-eaf5-4e8e-9473-8bd27a68e875", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42211", "type": "seen", "source": "https://gist.github.com/alon710/6d419a56b43f4ac63f23facb23062d82", "content": "# CVE-2026-42211: CVE-2026-42211: Remote Code Execution via Insecure Deserialization in React Router Framework Mode\n\n> **CVSS Score:** 8.1\n> **Published:** 2026-06-03\n> **Full Report:** https://cvereports.com/reports/CVE-2026-42211\n\n## Summary\nA critical vulnerability exists in React Router v7 when running in Framework Mode. The vulnerability arises from insecure deserialization of TYPE_ERROR objects in the internal turbo-stream library, which resolves constructors from the global scope. If an application contains an independent prototype pollution vulnerability, an attacker can trigger unauthenticated Remote Code Execution (RCE) on the server.\n\n## TL;DR\nAn insecure deserialization vulnerability in React Router Framework Mode allows unauthenticated Remote Code Execution (RCE) when chained with prototype pollution.\n\n## Technical Details\n\n- **CWE ID**: CWE-502\n- **Attack Vector**: Network\n- **CVSS Score**: 8.1\n- **EPSS Score**: 0.00252\n- **Exploit Status**: poc\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- React Router v7 applications deployed in Framework Mode\n- **react-router**: >= 7.0.0, < 7.14.2 (Fixed in: `7.14.2`)\n\n## Mitigation\n\n- Upgrade react-router to version 7.14.2 or later\n- Launch Node.js with prototype mutation protections disabled (--disable-proto=throw)\n- Implement strict input validation on JSON/query payloads to prevent prototype pollution\n\n**Remediation Steps:**\n1. Identify any react-router installations in your package.json mapping to versions >= 7.0.0 and < 7.14.2\n2. Execute the appropriate package manager command to update (e.g., npm install react-router@latest)\n3. Optionally add the --disable-proto=throw flag to the Node.js startup command in production environments\n\n## References\n\n- [GitHub Security Advisory GHSA-49rj-9fvp-4h2h](https://github.com/remix-run/react-router/security/advisories/GHSA-49rj-9fvp-4h2h)\n- [NVD - CVE-2026-42211](https://nvd.nist.gov/vuln/detail/CVE-2026-42211)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-42211) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-04T00:40:58.000000Z"}