CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2026-42211

CVE-2026-42211: Remote Code Execution via Insecure Deserialization in React Router Framework Mode

Alon Barad
Alon Barad
Software Engineer

Jun 4, 2026·5 min read·68 visits

Executive Summary (TL;DR)

An insecure deserialization vulnerability in React Router Framework Mode allows unauthenticated Remote Code Execution (RCE) when chained with prototype pollution.

A critical vulnerability exists in React Router v7 when running in Framework Mode. The vulnerability arises from insecure deserialization of TYPE_ERROR objects in the internal turbo-stream library, which resolves constructors from the global scope. If an application contains an independent prototype pollution vulnerability, an attacker can trigger unauthenticated Remote Code Execution (RCE) on the server.

Vulnerability Overview

React Router v7 introduces a data transmission feature known as "single-fetch" to pass serialized objects between the client and the server. In Framework Mode, this transmission mechanism utilizes an internally vendored fork of the turbo-stream library (v2) to serialize and deserialize complex JavaScript objects such as Dates, Maps, Sets, and Errors.

The vulnerability, identified as CVE-2026-42211, is classified under CWE-502 (Deserialization of Untrusted Data). The insecure deserialization routine resides within the error-handling logic of the single-fetch deserializer. Under specific conditions, this allows an unauthenticated remote attacker to instantiate arbitrary constructors.

This behavior exposes a critical attack surface because the deserializer attempts to dynamically hydrate specific JavaScript error subtypes. By sending a crafted payload containing serialized error parameters, an attacker can manipulate the execution flow of the server hosting the application.

Root Cause Analysis

The core vulnerability lies in the dynamic resolution of error class constructors during the unflattening phase of data deserialization. To restore the specific class of a serialized error, the server-side engine checks whether the class name exists in the global namespace using the JavaScript in operator.

In JavaScript, the in operator does not restrict its search to the direct properties of an object. Instead, it traverses the entire prototype chain of the target object up to Object.prototype. This behavior permits properties defined on parent prototypes to be resolved as if they were directly present on the global object.

If the application contains an independent prototype pollution vulnerability, an attacker can register an arbitrary property on the base prototype. When the deserializer performs the name in global check, the polluted property is resolved as a function constructor, which is subsequently invoked with attacker-controlled arguments.

Code Analysis

The vulnerable code path is located in the single-fetch deserialization wrapper within packages/react-router/lib/dom/ssr/single-fetch.tsx. The implementation uses the global scope to dynamically resolve constructors without checking a safelist.

// VULNERABLE IMPLEMENTATION
let Constructor = Error;
// @ts-expect-error
if (name && name in global && typeof global[name] === "function") {
  // @ts-expect-error
  Constructor = global[name];
}

The patched version introduces an explicit list of allowed error constructor names, restricting the resolution to safe, built-in JavaScript error classes.

// PATCHED IMPLEMENTATION
import { SUPPORTED_ERROR_TYPES } from "../../../vendor/turbo-stream-v2/turbo-stream";
 
let Constructor = Error;
if (
  name &&
  SUPPORTED_ERROR_TYPES.includes(name) &&
  name in global &&
  // @ts-expect-error
  typeof global[name] === "function"
) {
  // @ts-expect-error
  Constructor = global[name];
}

By enforcing the SUPPORTED_ERROR_TYPES.includes(name) constraint, the system rejects any custom or polluted property names. This restricts the instantiation mechanism to standard types such as TypeError and RangeError, which cannot be manipulated to execute arbitrary commands.

Exploitation Methodology

Exploitation of CVE-2026-42211 is structured as a two-stage attack chain. This requires a pre-existing prototype pollution vulnerability to be present within the application's dependencies or custom code. The first stage pollutes the global prototype with the target execution payload.

In the second stage, the attacker sends an HTTP request to the single-fetch data endpoint. This request contains a serialized payload designed to trigger the deserialization of a TYPE_ERROR. The payload specifies the polluted prototype property name as the error name, and the payload arguments as the command to execute.

When the deserializer parses the payload, it evaluates the polluted property name against the global object. Because of prototype inheritance, the lookup succeeds and resolves to the injected malicious function. The application then instantiates this function as a constructor, executing the command context.

Impact Assessment

The impact of successful exploitation is unauthenticated Remote Code Execution (RCE) on the host server. An attacker operating over the network can execute arbitrary system commands under the security context of the Node.js process.

This level of access allows complete compromise of the application environment. Attackers can read sensitive environmental variables, access database credentials, extract source code, or establish persistent remote access within the hosting infrastructure.

Although the attack complexity is rated as high due to the requirement of an auxiliary prototype pollution vulnerability, the severity remains significant. The vulnerability requires no user interaction and no privileges, allowing direct entry points to internal networks once the prerequisite prototype pollution condition is satisfied.

Remediation & Mitigation

The primary remediation for this vulnerability is upgrading react-router to version 7.14.2 or later. This update restricts deserialization to explicitly supported error classes, effectively neutralizing the lookup vector.

If an immediate upgrade is not possible, organizations should deploy runtime mitigations. Node.js processes can be configured to disable prototype mutations globally by executing the application with specific runtime flags.

# Enforce runtime prototype protection
node --disable-proto=throw server.js

Additionally, input sanitization should be enforced at the boundary level to detect and drop payloads containing prototype-polluting keys such as __proto__ or constructor.prototype. Freezing the base prototype using Object.freeze(Object.prototype) at application startup also prevents initial pollution.

Fix Analysis (1)

Technical Appendix

CVSS Score
8.1/ 10
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected Systems

React Router v7 applications deployed in Framework Mode

Affected Versions Detail

Product
Affected Versions
Fixed Version
react-router
remix-run
>= 7.0.0, < 7.14.27.14.2
AttributeDetail
CWE IDCWE-502
Attack VectorNetwork
CVSS Score8.1
EPSS Score0.00252
Exploit Statuspoc
KEV StatusNot Listed

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
T1059Command and Scripting Interpreter
Execution
CWE-502
Deserialization of Untrusted Data

Vulnerability Timeline

React Router version 7.14.2 released
2026-04-21
CVE-2026-42211 published
2026-06-02

References & Sources

  • [1]GitHub Security Advisory GHSA-49rj-9fvp-4h2h
  • [2]NVD - CVE-2026-42211

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•about 18 hours ago•GHSA-8RQH-VXPR-X77P
4.3

GHSA-8RQH-VXPR-X77P: Stored Cross-Site Scripting via MIME Type Spoofing in Plone REST API

A stored Cross-Site Scripting (XSS) vulnerability exists within plone.restapi, the REST API package for Plone content management system. By supplying a spoofed input MIME type (text/x-html-safe), an attacker can mislead the rendering layer (plone.app.textfield) into assuming that the supplied content is already sanitized. This causes the system to skip the safe_html transform, allowing arbitrary JavaScript to execute in the victim's browser when they view the compromised page.

Amit Schendel
Amit Schendel
6 views•7 min read
•about 19 hours ago•CVE-2026-11400
8.0

CVE-2026-11400: Privilege Escalation via Untrusted Search Path in AWS Advanced JDBC Wrapper

An untrusted search path vulnerability in the GlobalDatabasePlugin component of the AWS Advanced JDBC Wrapper for Amazon Aurora PostgreSQL allows authenticated, low-privilege database users to hijack administrative session queries. By defining a custom function in a writable schema such as the public schema, an attacker can hijack queries executed automatically during driver-level topology detection. When a highly privileged database user connects to the database utilizing an affected version of the wrapper, the custom function executes under their security context, enabling remote privilege escalation to rds_superuser.

Alon Barad
Alon Barad
7 views•6 min read
•about 20 hours ago•CVE-2026-27771
8.2

CVE-2026-27771: Authentication Bypass and Information Disclosure in Gitea Container and Composer Registries

CVE-2026-27771 represents a critical security flaw in Gitea and Forgejo (up to and including version 1.26.1) involving missing authorization checks (CWE-862). Unauthenticated remote attackers can query, enumerate, and download private container images from the OCI-compliant container registry. Additionally, unauthorized users can retrieve private or internal source repository URLs via the Composer package registry metadata API. A public proof-of-concept exists, and threat metrics indicate highly active scanning and exploitation risks.

Alon Barad
Alon Barad
7 views•7 min read
•about 21 hours ago•GHSA-CVPC-HCCG-WMW4
8.8

GHSA-CVPC-HCCG-WMW4: Missing Authorization in Formie Administrative Settings Allows Privilege Escalation

A missing authorization vulnerability in the Formie plugin for Craft CMS prior to version 3.1.28 allows low-privileged Control Panel users to read and modify sensitive administrative settings, configuration options, and third-party integrations.

Amit Schendel
Amit Schendel
5 views•6 min read
•about 22 hours ago•CVE-2026-53598
7.5

CVE-2026-53598: Arbitrary File Read via File Reference Expansion in Microsoft Prompty

CVE-2026-53598 is a directory traversal and arbitrary file read vulnerability in Microsoft Prompty ecosystem loaders across multiple languages. Prior to version 2.0.0-beta.2, the loaders resolved `${file:...}` reference strings inside frontmatter configuration blocks without enforcing that the target file paths resided within authorized directories. This deficiency allows an attacker-controlled configuration file to read sensitive operating system and application files through absolute paths, directory traversal, or symbolic link escapes. The issue is addressed across the Python, C#, Node.js/TypeScript, and Rust ecosystems.

Amit Schendel
Amit Schendel
7 views•6 min read
•about 23 hours ago•GHSA-MFR4-MQ8W-VMG6
7.3

GHSA-MFR4-MQ8W-VMG6: Path Traversal in proot-distro copy Command Allows Container Escape

A directory traversal vulnerability exists in the copy subcommand of the proot-distro utility. Due to incomplete path sanitization, local attackers or malicious scripts can read from or write to arbitrary files outside the container rootfs, bypassing isolation barriers and potentially gaining unauthorized access or persistent execution on the host system.

Alon Barad
Alon Barad
7 views•7 min read