CVE-2026-42342 Overview
CVE-2026-42342 is a high-severity denial-of-service vulnerability affecting React Router and the Remix server runtime. Crafted requests to the __manifest endpoint trigger unbounded path expansion, consuming disproportionate server resources. The flaw degrades response times and can render applications unavailable to legitimate users. It impacts react-router versions 7.0.0 through 7.14.x and @remix-run/server-runtime versions 2.10.0 through 2.17.4. The issue affects React Router Framework Mode and Remix applications. Applications using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) are not affected. Patches are available in react-router 7.15.0 and @remix-run/server-runtime 2.17.5.
Critical Impact
Unauthenticated attackers can send crafted requests to __manifest to exhaust server resources, causing service degradation or outage.
Affected Products
- react-router versions 7.0.0 through 7.14.x (Framework Mode)
- @remix-run/server-runtime versions 2.10.0 through 2.17.4
- Remix applications relying on the affected server runtime
Discovery Timeline
- 2026-06-02 - CVE-2026-42342 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2026-42342
Vulnerability Analysis
The vulnerability is classified as uncontrolled resource consumption [CWE-400]. The __manifest endpoint in React Router Framework Mode and Remix server runtime processes incoming path parameters without bounding the expansion of those paths. An attacker submits crafted query parameters that the server expands into a much larger internal computation. The asymmetric work performed per request allows a small number of requests to monopolize CPU and memory. Legitimate users experience increased latency or full service unavailability.
Root Cause
The __manifest handler expands requested route paths without enforcing input bounds on the number or structure of paths processed. The expansion logic does not cap iteration count, recursion depth, or total work per request. This creates an algorithmic complexity issue where attacker-controlled input determines server-side resource consumption.
Attack Vector
The attack requires only network access to the application. No authentication or user interaction is required. An attacker sends HTTP requests with crafted path parameters to the __manifest endpoint exposed by React Router Framework Mode or Remix server runtime. Repeated or parallel requests amplify the effect, exhausting worker threads, CPU, or memory. The vulnerability does not impact confidentiality or integrity, only availability. Applications using only Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) do not expose the vulnerable endpoint and are not affected.
No public proof-of-concept code is referenced in the advisory. See the GitHub Security Advisory GHSA-8x6r-g9mw-2r78 for vendor technical details.
Detection Methods for CVE-2026-42342
Indicators of Compromise
- Repeated HTTP requests to the /__manifest endpoint with large or unusual paths query parameter values
- Sudden spikes in CPU or memory utilization on Node.js processes hosting React Router or Remix applications
- Increased request latency or HTTP 5xx error rates correlated with traffic to __manifest
- Single source IPs generating high request volumes against __manifest
Detection Strategies
- Inspect access logs for requests to /__manifest with abnormally long query strings or many repeated paths parameters
- Baseline normal request rates to __manifest and alert on deviations
- Monitor application performance metrics for sustained CPU saturation tied to manifest handler execution
Monitoring Recommendations
- Aggregate web server and application logs into a centralized analytics platform for query-based hunting
- Track per-endpoint latency percentiles for __manifest and alert on regressions
- Correlate WAF or reverse proxy rate-limit events with backend resource exhaustion signals
How to Mitigate CVE-2026-42342
Immediate Actions Required
- Upgrade react-router to version 7.15.0 or later
- Upgrade @remix-run/server-runtime to version 2.17.5 or later
- Audit deployed applications to confirm whether Framework Mode or Remix server runtime is in use
- Apply rate limiting and request size limits at the reverse proxy or WAF in front of affected applications
Patch Information
The maintainers patched the vulnerability in react-router 7.15.0 and @remix-run/server-runtime 2.17.5. The fix bounds path expansion within the __manifest handler. Refer to the GitHub Security Advisory GHSA-8x6r-g9mw-2r78 for full patch details and upgrade guidance.
Workarounds
- Block or rate-limit requests to the /__manifest endpoint at the WAF or reverse proxy until patches are applied
- Restrict query string length and parameter counts on routes handled by the affected runtime
- Migrate to Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) if Framework Mode features are not required
# Upgrade affected packages
npm install react-router@^7.15.0
npm install @remix-run/server-runtime@^2.17.5
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
