CVE-2026-42211 Overview
CVE-2026-42211 is a remote code execution (RCE) vulnerability in React Router, a popular routing library for React applications. The flaw affects versions 7.0.0 through 7.14.1 when applications run in Framework Mode. Attackers can chain an existing prototype pollution vulnerability in application code with React Router internals to achieve unauthorized RCE through external requests. The vulnerability is classified under CWE-502 (Deserialization of Untrusted Data). Applications using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) are not affected. The maintainers patched the issue in version 7.14.2.
Critical Impact
Successful exploitation grants attackers remote code execution on the server hosting a React Router Framework Mode application, compromising confidentiality, integrity, and availability.
Affected Products
- React Router versions 7.0.0 through 7.14.1 (Framework Mode only)
- Applications combining React Router Framework Mode with prototype pollution flaws
- Server-side rendered React applications using @react-router/* framework packages
Discovery Timeline
- 2026-06-02 - CVE-2026-42211 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-42211
Vulnerability Analysis
The vulnerability requires a two-step attack chain. The first step exploits an existing prototype pollution flaw in the target application code. The second step leverages the polluted prototype within React Router Framework Mode handlers to trigger unauthorized code execution on the server.
Framework Mode performs server-side request handling and data loading that processes attacker-influenced properties inherited through the polluted prototype chain. When React Router internals consume these tainted properties, the execution path reaches a sink that interprets data as code or invokes unsafe deserialization, mapped to CWE-502.
Declarative Mode and Data Mode operate client-side or through different request handling pipelines and do not reach the vulnerable code path. This narrows exposure to applications running the full Framework Mode runtime.
Root Cause
The root cause is unsafe consumption of object properties within React Router Framework Mode request handling. The framework trusts properties on objects whose prototype chain may be polluted by application-level vulnerabilities. This violates the principle of defense in depth between library and application boundaries.
Attack Vector
The attack originates over the network with no authentication or user interaction required. The attacker must first identify a prototype pollution primitive in the application code. The attacker then sends a crafted external HTTP request that triggers the pollution and routes execution through React Router internals to a code execution sink.
No verified public proof-of-concept code is available. See the GitHub Security Advisory GHSA-49rj-9fvp-4h2h for advisory-level technical details.
Detection Methods for CVE-2026-42211
Indicators of Compromise
- Unexpected outbound network connections originating from the Node.js process serving the React Router application
- New or modified files in the application working directory not produced by the deployment pipeline
- HTTP requests containing payloads with __proto__, constructor, or prototype keys targeting server-side route handlers
- Spawned child processes (sh, bash, node -e, cmd.exe) under the web application service account
Detection Strategies
- Inventory all Node.js services and identify React Router versions between 7.0.0 and 7.14.1 running in Framework Mode
- Perform static analysis of application code for prototype pollution sinks such as recursive Object.assign, unsafe merge, and direct bracket assignment from user input
- Inspect web application firewall (WAF) logs for requests containing prototype pollution payload patterns
- Correlate HTTP request bodies with subsequent child process creation events on the host
Monitoring Recommendations
- Enable process creation auditing on application servers and alert on shells spawned by node processes
- Forward Node.js application logs, WAF logs, and host telemetry to a centralized analytics platform for correlation
- Monitor outbound DNS and HTTP traffic from application hosts for connections to unrecognized destinations
- Track package version drift in CI/CD to flag deployments still pinned to vulnerable react-router releases
How to Mitigate CVE-2026-42211
Immediate Actions Required
- Upgrade react-router and related @react-router/* packages to version 7.14.2 or later across all environments
- Audit application dependencies and custom code for prototype pollution vulnerabilities and remediate them
- Rotate any secrets, tokens, or credentials accessible to the application process if exploitation is suspected
- Restrict the application service account to least-privilege file system and network access
Patch Information
The React Router maintainers fixed CVE-2026-42211 in version 7.14.2. Upgrade by running npm install react-router@7.14.2 or the equivalent command for your package manager, then redeploy. Refer to the GitHub Security Advisory GHSA-49rj-9fvp-4h2h for the official remediation guidance.
Workarounds
- Migrate from Framework Mode to Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) if a patched upgrade is not immediately possible
- Deploy WAF rules that block request bodies containing __proto__, constructor.prototype, or prototype keys
- Use Object.freeze(Object.prototype) at application startup to prevent prototype mutation
- Run the Node.js process in a sandboxed container with read-only file system and restricted egress
# Upgrade React Router to the patched version
npm install react-router@7.14.2
# Verify installed version
npm ls react-router
# Optional: freeze Object prototype at application entry point
# node -e "Object.freeze(Object.prototype)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
