CVE-2026-42211: Remote Code Execution via Insecure Deserialization in React Router Framework Mode

React Router v7 introduces a data transmission feature known as "single-fetch" to pass serialized objects between the client and the server. In Framework Mode, this transmission mechanism utilizes an internally vendored fork of the turbo-stream library (v2) to serialize and deserialize complex JavaScript objects such as Dates, Maps, Sets, and Errors.

The vulnerability, identified as CVE-2026-42211, is classified under CWE-502 (Deserialization of Untrusted Data). The insecure deserialization routine resides within the error-handling logic of the single-fetch deserializer. Under specific conditions, this allows an unauthenticated remote attacker to instantiate arbitrary constructors.

This behavior exposes a critical attack surface because the deserializer attempts to dynamically hydrate specific JavaScript error subtypes. By sending a crafted payload containing serialized error parameters, an attacker can manipulate the execution flow of the server hosting the application.

The core vulnerability lies in the dynamic resolution of error class constructors during the unflattening phase of data deserialization. To restore the specific class of a serialized error, the server-side engine checks whether the class name exists in the global namespace using the JavaScript in operator.

In JavaScript, the in operator does not restrict its search to the direct properties of an object. Instead, it traverses the entire prototype chain of the target object up to Object.prototype. This behavior permits properties defined on parent prototypes to be resolved as if they were directly present on the global object.

If the application contains an independent prototype pollution vulnerability, an attacker can register an arbitrary property on the base prototype. When the deserializer performs the name in global check, the polluted property is resolved as a function constructor, which is subsequently invoked with attacker-controlled arguments.

The vulnerable code path is located in the single-fetch deserialization wrapper within packages/react-router/lib/dom/ssr/single-fetch.tsx. The implementation uses the global scope to dynamically resolve constructors without checking a safelist.

// VULNERABLE IMPLEMENTATION
let Constructor = Error;
// @ts-expect-error
if (name && name in global && typeof global[name] === "function") {
  // @ts-expect-error
  Constructor = global[name];
}

The patched version introduces an explicit list of allowed error constructor names, restricting the resolution to safe, built-in JavaScript error classes.

// PATCHED IMPLEMENTATION
import { SUPPORTED_ERROR_TYPES } from "../../../vendor/turbo-stream-v2/turbo-stream";
 
let Constructor = Error;
if (
  name &&
  SUPPORTED_ERROR_TYPES.includes(name) &&
  name in global &&
  // @ts-expect-error
  typeof global[name] === "function"
) {
  // @ts-expect-error
  Constructor = global[name];
}

By enforcing the SUPPORTED_ERROR_TYPES.includes(name) constraint, the system rejects any custom or polluted property names. This restricts the instantiation mechanism to standard types such as TypeError and RangeError, which cannot be manipulated to execute arbitrary commands.

Exploitation of CVE-2026-42211 is structured as a two-stage attack chain. This requires a pre-existing prototype pollution vulnerability to be present within the application's dependencies or custom code. The first stage pollutes the global prototype with the target execution payload.

In the second stage, the attacker sends an HTTP request to the single-fetch data endpoint. This request contains a serialized payload designed to trigger the deserialization of a TYPE_ERROR. The payload specifies the polluted prototype property name as the error name, and the payload arguments as the command to execute.

When the deserializer parses the payload, it evaluates the polluted property name against the global object. Because of prototype inheritance, the lookup succeeds and resolves to the injected malicious function. The application then instantiates this function as a constructor, executing the command context.

The impact of successful exploitation is unauthenticated Remote Code Execution (RCE) on the host server. An attacker operating over the network can execute arbitrary system commands under the security context of the Node.js process.

This level of access allows complete compromise of the application environment. Attackers can read sensitive environmental variables, access database credentials, extract source code, or establish persistent remote access within the hosting infrastructure.

Although the attack complexity is rated as high due to the requirement of an auxiliary prototype pollution vulnerability, the severity remains significant. The vulnerability requires no user interaction and no privileges, allowing direct entry points to internal networks once the prerequisite prototype pollution condition is satisfied.

The primary remediation for this vulnerability is upgrading react-router to version 7.14.2 or later. This update restricts deserialization to explicitly supported error classes, effectively neutralizing the lookup vector.

If an immediate upgrade is not possible, organizations should deploy runtime mitigations. Node.js processes can be configured to disable prototype mutations globally by executing the application with specific runtime flags.

# Enforce runtime prototype protection
node --disable-proto=throw server.js

Additionally, input sanitization should be enforced at the boundary level to detect and drop payloads containing prototype-polluting keys such as __proto__ or constructor.prototype. Freezing the base prototype using Object.freeze(Object.prototype) at application startup also prevents initial pollution.