CVE-2026-21884 Overview
A Cross-Site Scripting (XSS) vulnerability has been identified in React Router, a popular routing library for React applications. The vulnerability exists in React Router's <ScrollRestoration> API when operating in Framework Mode during Server-Side Rendering (SSR). Specifically, when using the getKey or storageKey props with untrusted content to generate keys, an attacker can execute arbitrary JavaScript code during the SSR process.
Critical Impact
Arbitrary JavaScript execution during Server-Side Rendering can lead to session hijacking, credential theft, defacement, or redirection to malicious sites. Applications using Framework Mode with SSR enabled and accepting untrusted input for ScrollRestoration keys are at risk.
Affected Products
- @remix-run/react versions prior to 2.17.3
- react-router versions 7.0.0 through 7.11.0
Discovery Timeline
- 2026-01-10 - CVE CVE-2026-21884 published to NVD
- 2026-01-13 - Last updated in NVD database
Technical Details for CVE-2026-21884
Vulnerability Analysis
This vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting (XSS). The flaw resides in how the <ScrollRestoration> component handles user-supplied values for the getKey and storageKey properties during Server-Side Rendering in Framework Mode.
When an application passes untrusted or user-controlled data to these properties without proper sanitization, the content is rendered directly into the HTML output during SSR. This creates an injection point where malicious JavaScript code can be embedded and executed when the page is served to users.
The vulnerability requires user interaction (such as visiting a crafted URL) and can affect users across different origins due to the changed scope characteristic of this vulnerability type.
Root Cause
The root cause is insufficient input validation and output encoding in the <ScrollRestoration> API's handling of the getKey and storageKey props during the Server-Side Rendering process. When these props receive values derived from untrusted sources, the component fails to properly sanitize or escape the content before incorporating it into the rendered HTML output.
Attack Vector
The attack vector is network-based and requires user interaction. An attacker can craft a malicious URL or input that, when processed by a vulnerable application, injects JavaScript code through the getKey or storageKey props. The malicious payload executes during SSR, potentially compromising user sessions, stealing sensitive information, or performing actions on behalf of the victim.
The vulnerability specifically targets applications that:
- Use React Router in Framework Mode
- Have Server-Side Rendering enabled
- Pass user-controlled or untrusted data to the getKey or storageKey props of <ScrollRestoration>
Applications using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) are not affected by this vulnerability.
Detection Methods for CVE-2026-21884
Indicators of Compromise
- Unusual JavaScript payloads in URL parameters or form inputs that are processed by the application
- Server logs showing requests with encoded script tags or JavaScript event handlers targeting scroll restoration functionality
- Unexpected outbound network requests from server-side rendered pages
- User reports of suspicious redirects or pop-ups when accessing specific URLs
Detection Strategies
- Implement Content Security Policy (CSP) headers and monitor for CSP violation reports indicating injection attempts
- Review application code for usage of <ScrollRestoration> with getKey or storageKey props that accept user input
- Deploy Web Application Firewall (WAF) rules to detect and block common XSS payloads in request parameters
- Enable detailed server-side logging to capture and analyze requests containing suspicious patterns
Monitoring Recommendations
- Configure real-time alerting for CSP violations related to inline script execution
- Monitor application logs for requests containing JavaScript keywords, script tags, or event handlers in query parameters
- Implement anomaly detection for unusual patterns in user-supplied data processed by SSR components
- Regularly scan application dependencies to identify vulnerable versions of @remix-run/react and react-router
How to Mitigate CVE-2026-21884
Immediate Actions Required
- Upgrade @remix-run/react to version 2.17.3 or later immediately
- Upgrade react-router to version 7.12.0 or later immediately
- Audit all uses of <ScrollRestoration> component to identify instances where getKey or storageKey receive user-controlled input
- Implement strict input validation and output encoding for any data passed to ScrollRestoration props
- Consider disabling Server-Side Rendering temporarily if immediate patching is not possible
Patch Information
The Remix team has released security patches addressing this vulnerability. For @remix-run/react, upgrade to version 2.17.3 or later. For react-router standalone usage, upgrade to version 7.12.0 or later. Refer to the GitHub Security Advisory for detailed patch information.
Workarounds
- Disable Server-Side Rendering in Framework Mode if the feature is not critical to application functionality
- Switch to Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) which are not affected
- Avoid passing any user-controlled or untrusted data to the getKey or storageKey props of <ScrollRestoration>
- Implement robust input sanitization using libraries like DOMPurify before passing any external data to ScrollRestoration
- Deploy Content Security Policy headers with strict script-src directives to mitigate potential exploitation
# Update @remix-run/react to patched version
npm update @remix-run/react@2.17.3
# Update react-router to patched version
npm update react-router@7.12.0
# Verify installed versions
npm list @remix-run/react react-router
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
