How is CVE-2026-34077 exploited?

Network reachability (required): The vulnerable component is exposed over the network, so the attacker must be able to reach the service via a standard internet or intranet HTTP connection. Authentication (not-required): No account or credential of any privilege level is needed to send a malicious request to the affected endpoint. Victim interaction (not-required): The exploit executes without any action from a user or administrator on the target system. Attack complexity (info): Attack complexity is low, meaning the exploit is straightforward and does not depend on race conditions, specific memory layout, or other environmental factors.

What is the impact of CVE-2026-34077?

A successful attacker crashes or hangs the React Router application process, making it unavailable to legitimate users. No confidential data is read by the attacker; the impact is limited to service disruption. No persistent data is modified; integrity of stored records is unaffected. Availability of the affected service is fully compromised for the duration of the attack.

Back to search

HIGHCVE-2026-34077Published 2026-06-02Modified 2026-06-03CNA GitHub_M

CVE-2026-34077: React Router vulnerable to Denial of Service via reflected user input in single-fetch

React Router is a router for React. In versions 7.7.0 through 7.13.1, when using React Router's unstable React Server Components (RSC) APIs, there is a potential client-side Cross-Site Scripting (XSS) vulnerability in the RSC redirect handling if redirects come from untrusted sources. This does not impact applications that are not using the unstable RSC APIs in React Router. This is patched in version 7.13.2.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 2

HarborGuard Analysis

Synopsis

A denial-of-service vulnerability affects React Router versions 7.7.0 through 7.13.1 when the unstable React Server Components (RSC) APIs are in use. The flaw is reachable over the network without any authentication or user interaction, allowing an unauthenticated remote attacker to trigger it from the internet. Successful exploitation disrupts service availability for the affected application. HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-34077 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all container images in customer registries and CI pipelines, including custom-built images that bundle react-router or turbo-stream.

Available

Triage

HarborGuard scores this finding at CVSS 7.5 (HIGH) and is capable of weighting it against each environment's compliance policy to determine breach thresholds. Triage routing routes the finding to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no upstream fix version has been published yet, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available the moment a fix is released by the maintainers. In the meantime, customers can apply compensating controls through HarborGuard's policy engine to flag or block images containing affected react-router or turbo-stream versions.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable component is exposed over the network, so the attacker must be able to reach the service via a standard internet or intranet HTTP connection.
AuthenticationNot required
No account or credential of any privilege level is needed to send a malicious request to the affected endpoint.
Victim interactionNot required
The exploit executes without any action from a user or administrator on the target system.
Attack complexityDetail
Attack complexity is low, meaning the exploit is straightforward and does not depend on race conditions, specific memory layout, or other environmental factors.

Blast Radius

A successful attacker crashes or hangs the React Router application process, making it unavailable to legitimate users.
No confidential data is read by the attacker; the impact is limited to service disruption.
No persistent data is modified; integrity of stored records is unaffected.
Availability of the affected service is fully compromised for the duration of the attack.

How HarborGuard Handles This

Available on HarborGuard: because no patched version has been published as of the CVE's publication date, HarborGuard continuously re-checks the advisory on every ingest cycle and will surface a patched-image rebuild the moment the upstream maintainers ship a fix. While waiting for a patch, customers can use HarborGuard's policy engine to enforce a block or warn gate on images containing react-router versions 7.7.0 through 7.13.1 or turbo-stream versions below 3.0.0. Additional compensating controls worth considering include network-policy rules that restrict which services can reach RSC-enabled React Router endpoints, and feature-flag gating to disable the unstable RSC APIs at the application layer until a patch is available. For customers with auto-remediation enabled, a rebuild and regression run will trigger automatically and a PR will be opened against affected workloads as soon as a fix version is indexed.

See how HarborGuard automates this

Affected packages

remix-run / react-router
>= 7.0.0, < 7.14.0
remix-run / turbo-stream
< 3.0.0

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

https://github.com/remix-run/react-router/security/advisories/GHSA-rxv8-25v2-qmq8

Metrics

Get notified