{"vulnerability": "cve-2026-42342", "sightings": [{"uuid": "da2280e3-d125-43de-8843-cc16a8352cf1", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42342", "type": "seen", "source": "https://gist.github.com/alon710/7cf799e784cb7e5d54b5d97af1f62323", "content": "# CVE-2026-42342: CVE-2026-42342: Uncontrolled Resource Consumption and Denial of Service in React Router and Remix\n\n> **CVSS Score:** 7.5\n> **Published:** 2026-06-03\n> **Full Report:** https://cvereports.com/reports/CVE-2026-42342\n\n## Summary\nAn Uncontrolled Resource Consumption vulnerability (CWE-400) affects React Router in Framework Mode and Remix server runtimes. A remote, unauthenticated attacker can trigger unbounded recursive path expansion in the manifest resolution component, leading to 100% CPU exhaustion and complete Denial of Service. The vulnerability arises because the server does not enforce depth limits when parsing deeply nested path segments in requests directed to the dynamic manifest evaluation endpoints. This blocks the single-threaded Node.js event loop, preventing the processing of subsequent client requests. The issue is resolved in react-router v7.15.0 and @remix-run/server-runtime v2.17.5. Applications using React Router in client-side-only Declarative or Data modes are unaffected.\n\n## TL;DR\nA high-severity Denial of Service vulnerability in React Router (v7 Framework Mode) and Remix (v2) allows unauthenticated remote attackers to exhaust server resources and freeze the Node.js event loop via unbounded path expansion requests to the manifest resolution engine. Upgrade to react-router v7.15.0 or @remix-run/server-runtime v2.17.5 to resolve.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-400\n- **Attack Vector**: Network (AV:N)\n- **CVSS Score**: 7.5\n- **EPSS Score**: 0.00051 (16.30% percentile)\n- **Exploit Status**: Theoretical / Proof of Concept Only\n- **CISA KEV Status**: Not Listed\n- **Impact**: Denial of Service (DoS) via CPU Exhaustion\n\n## Affected Systems\n\n- React Router Framework Mode applications\n- Remix server-side web applications\n- **react-router**: >= 7.0.0, < 7.15.0 (Fixed in: `7.15.0`)\n- **@remix-run/server-runtime**: >= 2.10.0, < 2.17.5 (Fixed in: `2.17.5`)\n\n## Mitigation\n\n- Upgrade react-router to version 7.15.0 or higher\n- Upgrade @remix-run/server-runtime to version 2.17.5 or higher\n- Configure reverse proxy or WAF block lists based on request path segment count and length\n\n**Remediation Steps:**\n1. Identify vulnerable packages using npm list react-router or yarn licenses list.\n2. Update dependencies in package.json to the fixed versions (react-router 7.15.0 or remix-run 2.17.5).\n3. Run npm install or yarn install to update package-lock.json or yarn.lock.\n4. Implement Nginx URI character limits or path-depth boundaries for temporary protection.\n\n## References\n\n- [GitHub Security Advisory GHSA-8x6r-g9mw-2r78](https://github.com/remix-run/react-router/security/advisories/GHSA-8x6r-g9mw-2r78)\n- [NVD - CVE-2026-42342 Detail](https://nvd.nist.gov/vuln/detail/CVE-2026-42342)\n- [React Router GitHub Repository](https://github.com/remix-run/react-router)\n- [CVE-2026-42342 on CVE.org](https://www.cve.org/CVERecord?id=CVE-2026-42342)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/CVE-2026-42342) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-03T21:41:07.000000Z"}, {"uuid": "f3cb6b9b-50ef-4482-86d2-5a1842fda430", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-42342", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3mndiistrbd2h", "content": "\ud83d\udfe0 CVE-2026-42342 - High (7.5)\n\nReact Router is a router for React. In versions 7.0.0 through 7.14.x of react-router and versions...\n\nhttps://www.thehackerwire.com/vulnerability/CVE-2026-42342/\n\n#infosec #cybersecurity #CVE #vulnerability #security #patchstack", "creation_timestamp": "2026-06-02T21:01:32.463397Z"}]}