How is CVE-2026-33245 exploited?

Network reachability (required): The attacker must be able to reach the target application over the network and influence redirect responses served to the victim's browser. Authentication (not-required): No account or credential is needed; the attacker can operate as an unauthenticated party supplying malicious redirect targets. Victim interaction (required): A user must visit or interact with a page that triggers the vulnerable RSC redirect flow, making social engineering or malicious link delivery part of the attack path. Attack complexity (info): Exploitation is rated High complexity, meaning the attacker must meet specific conditions such as controlling or poisoning a redirect source that the RSC handler treats as trusted.

What is the impact of CVE-2026-33245?

Reads browser session tokens, authentication cookies, and other credentials accessible to the injected script running in the victim's origin context. Exfiltrates sensitive page content or form data visible to the victim at the time of exploitation. Performs unauthorized actions in the application on behalf of the victim, such as submitting forms or triggering state changes.

Back to search

HIGHCVE-2026-33245Published 2026-06-02Modified 2026-06-03CNA GitHub_M

CVE-2026-33245: React Router vulnerable to XSS in unstable RSC redirect handling via javascript: redirect targets

React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components (RSC) APIs, there is a potential client-side Cross-Site Scripting (XSS) vulnerability in the RSC redirect handling if redirects come from untrusted sources. This does not impact applications that are not using the unstable RSC APIs in React Router. This is patched in version 7.13.2.

CVSS v3.1: 8.0
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

This is a client-side Cross-Site Scripting (XSS) vulnerability in the React Router library, specifically in its unstable React Server Components (RSC) redirect handling. The flaw is reachable over the network without authentication, but requires a victim to interact with a page and involves higher attack complexity due to the need to supply a malicious redirect target (such as a javascript: URI) from an untrusted source. Successful exploitation gives an attacker the ability to execute arbitrary JavaScript in the victim's browser, leading to session theft, credential harvesting, or unauthorized actions on behalf of the user. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle react-router as a dependency.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 8.0 (HIGH) and weighting it against each environment's compliance policy to determine urgency. Triage alerts are routable to the appropriate team inbox within each customer organization based on image ownership and policy rules.

Available

Patch

No fix version has been published upstream as of this record; HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream maintainers publish a corrected release. For customers with auto-remediation enabled, the rebuild, regression test run, and pull request against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the target application over the network and influence redirect responses served to the victim's browser.
AuthenticationNot required
No account or credential is needed; the attacker can operate as an unauthenticated party supplying malicious redirect targets.
Victim interactionRequired
A user must visit or interact with a page that triggers the vulnerable RSC redirect flow, making social engineering or malicious link delivery part of the attack path.
Attack complexityDetail
Exploitation is rated High complexity, meaning the attacker must meet specific conditions such as controlling or poisoning a redirect source that the RSC handler treats as trusted.

Blast Radius

Reads browser session tokens, authentication cookies, and other credentials accessible to the injected script running in the victim's origin context.
Exfiltrates sensitive page content or form data visible to the victim at the time of exploitation.
Performs unauthorized actions in the application on behalf of the victim, such as submitting forms or triggering state changes.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively tracked across all customer image scans, with detection firing on any image found to include react-router versions 7.7.0 through 7.13.1. Because no upstream fix version has been published yet, no patched-image rebuild is currently available. In the interim, customers can apply compensating controls by restricting which sources are permitted to issue RSC redirects (for example, by validating redirect targets server-side to reject javascript: URIs), applying network-policy isolation to limit exposure of RSC-enabled surfaces, and considering a feature-flag gate to disable the unstable RSC redirect APIs until a patch is available. Once the upstream maintainers publish a patched release, HarborGuard will ingest it automatically; for customers with auto-remediation enabled, a rebuilt image, regression test run, and PR against affected workloads will be opened without manual intervention.

See how HarborGuard automates this

Affected packages

remix-run / react-router
>= 7.7.0, < 7.13.2

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N

References

https://github.com/remix-run/react-router/security/advisories/GHSA-8646-j5j9-6r62

Metrics

Get notified