HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-42211Published Modified CNA GitHub_M

CVE-2026-42211: React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE

React Router is a router for React. In versions 7.0.0 through 7.14.1, when using Framework Mode, a combination of steps could potentially allow unauthorized remote code execution (RCE) through external requests. This attack requires the application code to have an existing prototype pollution vulnerability, which can then be leveraged in a 2-step attack where the second step triggers unauthorized RCE on the remote server. This does not impact applications using Declarative Mode (`<BrowserRouter>`) or Data Mode (`createBrowserRouter/<RouterProvider>`). This is patched in version 7.14.2.

Metrics

CVSS v3.1
8.1
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a deserialization vulnerability combined with prototype pollution in React Router's vendored turbo-stream v2 library, affecting React Router Framework Mode versions 7.0.0 through 7.14.1. An unauthenticated remote attacker can reach the affected application over the network, but must first ensure an existing prototype pollution vulnerability is present in the application code before exploiting a second-stage attack that invokes arbitrary constructors during deserialization. Successful exploitation gives the attacker full remote code execution on the server, enabling reads of sensitive data, modification of application state, and service disruption. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-42211 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including custom-built images that bundle react-router in Framework Mode. Any image in a customer registry or CI pipeline containing an affected version (react-router 7.0.0 through 7.14.1) is flagged automatically.

Available
Triage

Triage is available using the CVSS v3.1 score of 8.1 (HIGH), with per-environment compliance policy weighting applied to prioritize findings according to each customer organization's risk thresholds. Routed findings are delivered to the appropriate team inbox within each org, so the right engineers see the alert without manual forwarding.

Available
Patch

Because no upstream fix version has been published for CVE-2026-42211, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment the upstream project ships a fix release. For customers with auto-remediation enabled, a rebuilt image, regression-test run, and a PR opened against affected workloads will be triggered automatically at that point, where compliance policy permits.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the React Router application over the network; the service must be exposed to external or internet-facing requests for this attack to be possible.

  • AuthenticationNot required

    No credentials or session token are needed; the attack is launched from an unauthenticated external request.

  • Victim interactionNot required

    No user action is required; the attacker triggers exploitation entirely through crafted inbound requests to the server.

  • Attack complexityDetail

    Exploitation is complex because it requires a two-stage attack: an existing prototype pollution vulnerability must already be present in the application code before the deserialization step can be weaponized for RCE.

Blast Radius

  • An attacker gains the ability to execute arbitrary code in the server process, reading any secrets, credentials, or application data accessible to that process.
  • Application state and persisted data can be modified or destroyed, including database records and session stores reachable from the compromised process.
  • The server process can be crashed or made unresponsive, disrupting availability for all users of the affected application.
  • Because RCE grants process-level access, lateral movement to other services on the same host or internal network is possible if network segmentation is not enforced.

How HarborGuard Handles This

Available on HarborGuard: because no fix version has been published upstream for CVE-2026-42211, HarborGuard monitors the React Router advisory on every ingest cycle and will make a patched-image rebuild available immediately upon upstream publication of a fix. In the interim, compensating controls available to consider include network-policy isolation to restrict which clients can reach Framework Mode endpoints, egress filtering to limit outbound calls from the application process, and disabling or auditing any application code paths that introduce prototype pollution (for example, unsafe use of object merges or deep-assign utilities). For customers with auto-remediation enabled, once a fix is published, HarborGuard will trigger a rebuilt image, run regression tests, and open a PR against affected workloads where compliance policy permits, with median time from CVE publication to merged patch PR for high-severity issues around 90 minutes in those environments.

See how HarborGuard automates this
Affected packages
  • remix-run / react-router
    >= 7.0.0, < 7.14.2
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
References