CVE-2026-42211 HIGH

CVE-2026-42211: React Router's vendored turbo-stream v2 allows arbitrary constructor invocation via TYPE_ERROR deserialization leading to Unauth RCE

Vendor Remix-Run
Product react-router
Weakness CWE-502 · Unsafe deserialization
Published June 2, 2026
Last update June 3, 2026

CVSS base score

8.1/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

React Router is a router for React. In versions 7.0.0 through 7.14.1, when using Framework Mode, a combination of steps could potentially allow unauthorized remote code execution (RCE) through external requests. This attack requires the application code to have an existing prototype pollution vulnerability, which can then be leveraged in a 2-step attack where the second step triggers unauthorized RCE on the remote server. This does not impact applications using Declarative Mode (`<BrowserRouter>`) or Data Mode (`createBrowserRouter/<RouterProvider>`). This is patched in version 7.14.2.

Key dates

02Disclosure timeline

June 2, 2026 CVE published
June 3, 2026 Record updated