How is CVE-2026-42342 exploited?

Network reachability (required): The attacker must be able to reach the application over the network to send crafted HTTP requests to the __manifest endpoint. Authentication (not-required): No credentials or account are needed; the endpoint is reachable by any unauthenticated network client. Victim interaction (not-required): Exploitation is fully attacker-driven and requires no action from any user or operator of the application. Attack complexity (info): The exploit is reliable and condition-free; no race conditions, memory layout knowledge, or special environmental factors are required.

What is the impact of CVE-2026-42342?

Crashes or severely degrades the targeted React Router or Remix application, making it unavailable to legitimate users. Server CPU and memory are consumed disproportionately by path expansion work, which can starve other co-hosted services or processes on the same host. Sustained attack traffic can exhaust infrastructure autoscaling budgets or trigger rate-limit penalties from cloud providers.

Back to search

HIGHCVE-2026-42342Published 2026-06-02Modified 2026-06-03CNA GitHub_M

CVE-2026-42342: React Router vulnerable to DoS via unbounded path expansion in __manifest endpoint

React Router is a router for React. In versions 7.0.0 through 7.14.x of react-router and versions 2.10.0 through 2.17.4 of @remix-run/server-runtime, certain crafted requests can consume disproportionate server resources via unbounded path expansion in the __manifest endpoint, resulting in response time degradation and/or service unavailability for end users. This affects React Router Framework Mode applications as well as Remix applications. This does not impact applications using Declarative Mode (`<BrowserRouter>`) or Data Mode (`createBrowserRouter/<RouterProvider>`). This is patched in react-router version 7.15.0 and @remix-run/server-runtime version 2.17.5.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 2

HarborGuard Analysis

Synopsis

This is a denial-of-service vulnerability in React Router (Framework Mode) and Remix applications via the __manifest endpoint. A remote, unauthenticated attacker can send specially crafted requests that trigger unbounded path expansion, consuming disproportionate server resources. Successful exploitation degrades response times or makes the service completely unavailable to legitimate users. Fix versions (react-router 7.15.0 and @remix-run/server-runtime 2.17.5) have been published, and patched-image rebuilds are available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment; the CVE is matched against customer images within minutes of ingestion from upstream advisory feeds, including custom-built images that bundle react-router or @remix-run/server-runtime. Coverage applies to images in both connected registries and active CI/CD pipelines.

Available

Triage

Affected images are scored at CVSS 7.5 (HIGH) using the published v3.1 vector, with per-environment compliance policy weighting applied to prioritize routing. Triage findings are delivered to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Patched-image rebuilds targeting react-router 7.15.0 and @remix-run/server-runtime 2.17.5 are available on HarborGuard for any environment running an affected version. For customers with auto-remediation enabled, HarborGuard can trigger a rebuild, run a regression test suite against the new image, and open a pull request against affected workloads automatically.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the application over the network to send crafted HTTP requests to the __manifest endpoint.
AuthenticationNot required
No credentials or account are needed; the endpoint is reachable by any unauthenticated network client.
Victim interactionNot required
Exploitation is fully attacker-driven and requires no action from any user or operator of the application.
Attack complexityDetail
The exploit is reliable and condition-free; no race conditions, memory layout knowledge, or special environmental factors are required.

Blast Radius

Crashes or severely degrades the targeted React Router or Remix application, making it unavailable to legitimate users.
Server CPU and memory are consumed disproportionately by path expansion work, which can starve other co-hosted services or processes on the same host.
Sustained attack traffic can exhaust infrastructure autoscaling budgets or trigger rate-limit penalties from cloud providers.

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE is active across all scanning environments, matching images that include react-router 7.0.0 through 7.14.x or @remix-run/server-runtime 2.10.0 through 2.17.4. Note that only applications running in Framework Mode are affected; images using Declarative Mode (BrowserRouter) or Data Mode (createBrowserRouter/RouterProvider) are not impacted, and HarborGuard triage notes this distinction. Patched-image rebuilds at react-router 7.15.0 and @remix-run/server-runtime 2.17.5 are available; for customers with auto-remediation enabled, the median time from CVE publication to a merged patch PR for high-severity issues is around 90 minutes. Where compliance policy permits, HarborGuard opens a pull request with the rebuilt image and a completed regression run against affected workloads. Until a rebuild is deployed, compensating controls worth applying include network-policy rules that restrict external access to the __manifest endpoint and rate-limiting middleware placed in front of the application.

See how HarborGuard automates this

Affected packages

remix-run / react-router
>= 7.0.0, < 7.15.0
remix-run / @remix-run/server-runtime
>= 2.10.0, < 2.17.5

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

https://github.com/remix-run/react-router/security/advisories/GHSA-8x6r-g9mw-2r78

Metrics

Get notified