CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2026-34077

CVE-2026-34077: Denial of Service and Unsafe Deserialization in React Router Single Fetch

Amit Schendel
Amit Schendel
Senior Security Researcher

Jun 4, 2026·6 min read·50 visits

Executive Summary (TL;DR)

A dynamic object instantiation flaw in turbo-stream allows unauthenticated remote attackers to crash React Router or Remix applications via crafted payloads that instantiate non-constructor objects or cause out-of-memory errors.

React Router and the underlying turbo-stream vendor library contain a vulnerability allowing remote unauthenticated attackers to trigger a Denial of Service (DoS) or potentially client-side Cross-Site Scripting (XSS) due to unsafe dynamic deserialization of streaming error payloads.

Vulnerability Overview

React Router v7 in Framework Mode and Remix v2.9.0+ with Single Fetch enabled contain a vulnerability in the serialization and deserialization library, turbo-stream. This security flaw allows unauthenticated remote attackers to trigger a Denial of Service (DoS) or potentially execute client-side Cross-Site Scripting (XSS) in specific React Server Components (RSC) configurations. The vulnerability is tracked as CVE-2026-34077 and GHSA-rxv8-25v2-qmq8.

The vulnerability stems from the way the underlying turbo-stream vendor library processes stream error data. When rendering streaming responses, the application packages errors and sends them to the client for hydration. A discrepancy exists between official NVD listings, which emphasize client-side XSS via RSC redirects, and the actual code fix, which remedies a server-side and client-side Denial of Service vulnerability during deserialization.

This analysis details the technical mechanics of the deserialization failure, demonstrating how malicious input can lead to resource exhaustion or Node.js process termination. Organizations utilizing React Router's single-fetch features or unstable RSC APIs must assess their vulnerability status and apply the available patches.

Root Cause Analysis

The technical flaw resides in the custom serialization algorithm implemented in the turbo-stream component bundled inside the react-router monorepo. Specifically, the vulnerability is located in the files flatten.ts (the serializer) and unflatten.ts (the deserializer). The engine uses these files to transform complex JavaScript objects, such as Error instances, into a flat string representation for over-the-wire streaming.

During serialization, when the engine encounters an object extending the standard Error class, it writes the error message and the constructor name to the stream. If the constructor name is anything other than the default Error, the serializer appends the custom name property to the serialized structure. This name parameter is retrieved directly from the JavaScript object's properties without verification.

During deserialization on the receiving side, the engine attempts to hydrate this serialized payload back into live JavaScript objects. The parsing logic extracts the serialized error name and attempts to resolve it as a constructor on the global execution context. By dynamically instantiating an arbitrary property on the global object, the deserializer introduces an unrestricted object instantiation vector.

Code-Level Patch Analysis

An examination of the vulnerable source code compared to the patched version reveals the exact mechanics of the resolution. In the vulnerable version of the deserializer (unflatten.ts), the code parsed the incoming array stream and checked for the third element, which denoted the custom errorType.

// Vulnerable unflatten.ts implementation
case TYPE_ERROR:
  const [, message, errorType] = value;
  let error =
    errorType && globalObj && globalObj[errorType]
      ? new globalObj[errorType](message)
      : new Error(message);
  hydrated[index] = error;
  set(error);
  continue;

This dynamic lookup is vulnerable because the global execution context, denoted by globalObj (equivalent to globalThis or window), contains properties that are not callable constructors. When an attacker passes a property name that exists on the global object but cannot be instantiated via the new operator, the JavaScript engine throws a fatal exception.

The fix, introduced in commit 59811921d3c7d599077b8cadccdcd65a233165e0, completely refactors this deserialization branch. The patched version removes the dynamic constructor resolution and instantiates a standard Error object regardless of the supplied name.

// Patched unflatten.ts implementation
case TYPE_ERROR:
  const [, message] = value;
  let error = new Error(message);
  hydrated[index] = error;
  set(error); 
  continue;

This modification represents a complete and robust remediation. By eliminating dynamic object instantiation from the stream parsing logic, the attack surface is neutralized, and variant payloads targeting other global constructors are rendered ineffective.

Exploitation Mechanics and DoS Attack Vector

Exploitation of CVE-2026-34077 does not require authentication and can be executed via a crafted HTTP request targeting the Single Fetch or RSC endpoints. An attacker must construct a stream payload containing a serialized error with a malicious errorType parameter. When the application or client attempts to parse this stream, the execution flow is diverted.

To cause an immediate process crash, the attacker targets non-constructor properties on the global execution scope. For example, submitting JSON as the errorType forces the execution of new globalThis.JSON(message). Because JSON is a static namespace and not a constructor, the Node.js runtime throws a fatal TypeError which, if unhandled in the streaming controller, terminates the server process.

Alternatively, the attacker can exploit this behavior to trigger an Out-of-Memory (OOM) condition on the server or the client browser. By supplying a constructor that allocates memory, such as ArrayBuffer, and a very large integer string as the message, the parser executes new ArrayBuffer(2000000000). This instruction causes an immediate and large heap allocation, exhausting available system memory and triggering a garbage collector crash or process termination.

Impact Assessment and Configuration Analysis

The concrete impact of CVE-2026-34077 primarily manifests as a high-severity Denial of Service (DoS) vulnerability. Exploiting this flaw allows unauthenticated remote attackers to repeatedly crash target Node.js processes, disrupting service availability for all users. In containerized environments, rapid container crashes can lead to orchestration failures and persistent outages.

While the primary risk is Denial of Service, the official NVD record highlights a secondary risk involving client-side Cross-Site Scripting (XSS). In configurations utilizing unstable React Server Components (RSC) APIs, an attacker who controls the destination of an RSC redirect can inject arbitrary client-side code. This risk is constrained to environments exposing RSC routing channels to untrusted input.

The vulnerability carries a CVSS v3.1 base score of 7.5, reflecting a High severity rating. The attack vector is Network, the complexity is Low, and no privileges or user interactions are required to trigger the failure. This low barrier to exploitation increases the likelihood of opportunistic scans and automated exploitation campaigns.

Remediation and Defensive Strategy

The primary and recommended mitigation for CVE-2026-34077 is upgrading the react-router and turbo-stream packages to the patched releases. For applications utilizing React Router v7, administrators should upgrade to version 7.14.0 or later. For applications using React Router v7 with specific RSC structures, version 7.13.2 contains targeted hotfixes for the redirect-handling vector.

Developers must also ensure that nested dependencies are updated within lockfiles. Run npm update react-router or the equivalent command for your package manager, then verify that turbo-stream is resolved to version 3.0.0 or higher. The presence of the vulnerable library version in dependency trees poses a continued risk even if the root application package appears upgraded.

If immediate patching is not feasible, organizations should employ temporary workarounds to restrict exposure. Implementing rate limiting on single-fetch and RSC streaming routes can reduce the impact of Denial of Service attempts. Additionally, configuring Web Application Firewall (WAF) rules to detect and drop streaming payloads containing anomalous error type sequences can block known exploit vectors at the perimeter.

Official Patches

remix-runOfficial patch fixing the error serialization vulnerability
remix-run AdvisoryGitHub Security Advisory for react-router

Fix Analysis (1)

Technical Appendix

CVSS Score
7.5/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Probability
0.04%
Top 88% most exploited

Affected Systems

react-routerturbo-streamRemix

Affected Versions Detail

Product
Affected Versions
Fixed Version
react-router
remix-run
>= 7.0.0, < 7.14.07.14.0
react-router (RSC context)
remix-run
>= 7.7.0, < 7.13.27.13.2
turbo-stream
jacob-ebey
< 3.0.03.0.0
AttributeDetail
CWE IDCWE-770
Attack VectorNetwork
CVSS Score7.5
EPSS Score0.0004 (12.33 percentile)
ImpactDenial of Service (DoS) / Process Crash
Exploit StatusProof-of-Concept / Theoretical
CISA KEV StatusNot Listed

MITRE ATT&CK Mapping

T1499Endpoint Denial of Service
Impact
CWE-770
Allocation of Resources Without Limits or Throttling

The product allocates resources without limits, making it vulnerable to exhaustion attacks, specifically through dynamic constructor execution during streaming error deserialization.

Vulnerability Timeline

Vulnerability identified in single-fetch streaming deserialization
2026-02-10
Patch commit 59811921d3c7d599077b8cadccdcd65a233165e0 pushed
2026-02-15
GitHub Security Advisory GHSA-rxv8-25v2-qmq8 published
2026-02-16
CVE-2026-34077 assigned
2026-02-16

References & Sources

  • [1]GHSA-rxv8-25v2-qmq8
  • [2]NVD - CVE-2026-34077
  • [3]Vulnerable Source Code - Flatten
  • [4]Vulnerable Source Code - Unflatten

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•1 day ago•GHSA-8RQH-VXPR-X77P
4.3

GHSA-8RQH-VXPR-X77P: Stored Cross-Site Scripting via MIME Type Spoofing in Plone REST API

A stored Cross-Site Scripting (XSS) vulnerability exists within plone.restapi, the REST API package for Plone content management system. By supplying a spoofed input MIME type (text/x-html-safe), an attacker can mislead the rendering layer (plone.app.textfield) into assuming that the supplied content is already sanitized. This causes the system to skip the safe_html transform, allowing arbitrary JavaScript to execute in the victim's browser when they view the compromised page.

Amit Schendel
Amit Schendel
8 views•7 min read
•1 day ago•CVE-2026-11400
8.0

CVE-2026-11400: Privilege Escalation via Untrusted Search Path in AWS Advanced JDBC Wrapper

An untrusted search path vulnerability in the GlobalDatabasePlugin component of the AWS Advanced JDBC Wrapper for Amazon Aurora PostgreSQL allows authenticated, low-privilege database users to hijack administrative session queries. By defining a custom function in a writable schema such as the public schema, an attacker can hijack queries executed automatically during driver-level topology detection. When a highly privileged database user connects to the database utilizing an affected version of the wrapper, the custom function executes under their security context, enabling remote privilege escalation to rds_superuser.

Alon Barad
Alon Barad
8 views•6 min read
•1 day ago•CVE-2026-27771
8.2

CVE-2026-27771: Authentication Bypass and Information Disclosure in Gitea Container and Composer Registries

CVE-2026-27771 represents a critical security flaw in Gitea and Forgejo (up to and including version 1.26.1) involving missing authorization checks (CWE-862). Unauthenticated remote attackers can query, enumerate, and download private container images from the OCI-compliant container registry. Additionally, unauthorized users can retrieve private or internal source repository URLs via the Composer package registry metadata API. A public proof-of-concept exists, and threat metrics indicate highly active scanning and exploitation risks.

Alon Barad
Alon Barad
14 views•7 min read
•1 day ago•GHSA-CVPC-HCCG-WMW4
8.8

GHSA-CVPC-HCCG-WMW4: Missing Authorization in Formie Administrative Settings Allows Privilege Escalation

A missing authorization vulnerability in the Formie plugin for Craft CMS prior to version 3.1.28 allows low-privileged Control Panel users to read and modify sensitive administrative settings, configuration options, and third-party integrations.

Amit Schendel
Amit Schendel
7 views•6 min read
•1 day ago•CVE-2026-53598
7.5

CVE-2026-53598: Arbitrary File Read via File Reference Expansion in Microsoft Prompty

CVE-2026-53598 is a directory traversal and arbitrary file read vulnerability in Microsoft Prompty ecosystem loaders across multiple languages. Prior to version 2.0.0-beta.2, the loaders resolved `${file:...}` reference strings inside frontmatter configuration blocks without enforcing that the target file paths resided within authorized directories. This deficiency allows an attacker-controlled configuration file to read sensitive operating system and application files through absolute paths, directory traversal, or symbolic link escapes. The issue is addressed across the Python, C#, Node.js/TypeScript, and Rust ecosystems.

Amit Schendel
Amit Schendel
8 views•6 min read
•1 day ago•GHSA-MFR4-MQ8W-VMG6
7.3

GHSA-MFR4-MQ8W-VMG6: Path Traversal in proot-distro copy Command Allows Container Escape

A directory traversal vulnerability exists in the copy subcommand of the proot-distro utility. Due to incomplete path sanitization, local attackers or malicious scripts can read from or write to arbitrary files outside the container rootfs, bypassing isolation barriers and potentially gaining unauthorized access or persistent execution on the host system.

Alon Barad
Alon Barad
7 views•7 min read