Headline
GHSA-3cgp-3xvw-98x8: React Router has XSS Vulnerability
A XSS vulnerability exists in in React Router’s meta()/<Meta> APIs in Framework Mode when generating script:ld+json tags which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the tag.
[!NOTE] This does not impact applications using Declarative Mode (
<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).
Skip to content
Navigation Menu
AI CODE CREATION
GitHub CopilotWrite better code with AI
GitHub SparkBuild and deploy intelligent apps
GitHub ModelsManage and compare prompts
MCP RegistryNewIntegrate external tools
View all features
- Pricing
Provide feedback
Saved searches****Use saved searches to filter your results more quickly
Sign up
Appearance settings
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2025-59057
React Router has XSS Vulnerability
High severity GitHub Reviewed Published Jan 8, 2026 in remix-run/react-router • Updated Jan 8, 2026
Package
npm @remix-run/react (npm)
Affected versions
>= 1.15.0, <= 2.17.0
Description
A XSS vulnerability exists in in React Router’s meta()/<Meta> APIs in Framework Mode when generating script:ld+json tags which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the tag.
Note
This does not impact applications using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).
References
- GHSA-3cgp-3xvw-98x8
Published to the GitHub Advisory Database
Jan 8, 2026
EPSS score