Jun 4, 2026·5 min read·68 visits
An insecure deserialization vulnerability in React Router Framework Mode allows unauthenticated Remote Code Execution (RCE) when chained with prototype pollution.
A critical vulnerability exists in React Router v7 when running in Framework Mode. The vulnerability arises from insecure deserialization of TYPE_ERROR objects in the internal turbo-stream library, which resolves constructors from the global scope. If an application contains an independent prototype pollution vulnerability, an attacker can trigger unauthenticated Remote Code Execution (RCE) on the server.
React Router v7 introduces a data transmission feature known as "single-fetch" to pass serialized objects between the client and the server. In Framework Mode, this transmission mechanism utilizes an internally vendored fork of the turbo-stream library (v2) to serialize and deserialize complex JavaScript objects such as Dates, Maps, Sets, and Errors.
The vulnerability, identified as CVE-2026-42211, is classified under CWE-502 (Deserialization of Untrusted Data). The insecure deserialization routine resides within the error-handling logic of the single-fetch deserializer. Under specific conditions, this allows an unauthenticated remote attacker to instantiate arbitrary constructors.
This behavior exposes a critical attack surface because the deserializer attempts to dynamically hydrate specific JavaScript error subtypes. By sending a crafted payload containing serialized error parameters, an attacker can manipulate the execution flow of the server hosting the application.
The core vulnerability lies in the dynamic resolution of error class constructors during the unflattening phase of data deserialization. To restore the specific class of a serialized error, the server-side engine checks whether the class name exists in the global namespace using the JavaScript in operator.
In JavaScript, the in operator does not restrict its search to the direct properties of an object. Instead, it traverses the entire prototype chain of the target object up to Object.prototype. This behavior permits properties defined on parent prototypes to be resolved as if they were directly present on the global object.
If the application contains an independent prototype pollution vulnerability, an attacker can register an arbitrary property on the base prototype. When the deserializer performs the name in global check, the polluted property is resolved as a function constructor, which is subsequently invoked with attacker-controlled arguments.
The vulnerable code path is located in the single-fetch deserialization wrapper within packages/react-router/lib/dom/ssr/single-fetch.tsx. The implementation uses the global scope to dynamically resolve constructors without checking a safelist.
// VULNERABLE IMPLEMENTATION
let Constructor = Error;
// @ts-expect-error
if (name && name in global && typeof global[name] === "function") {
// @ts-expect-error
Constructor = global[name];
}The patched version introduces an explicit list of allowed error constructor names, restricting the resolution to safe, built-in JavaScript error classes.
// PATCHED IMPLEMENTATION
import { SUPPORTED_ERROR_TYPES } from "../../../vendor/turbo-stream-v2/turbo-stream";
let Constructor = Error;
if (
name &&
SUPPORTED_ERROR_TYPES.includes(name) &&
name in global &&
// @ts-expect-error
typeof global[name] === "function"
) {
// @ts-expect-error
Constructor = global[name];
}By enforcing the SUPPORTED_ERROR_TYPES.includes(name) constraint, the system rejects any custom or polluted property names. This restricts the instantiation mechanism to standard types such as TypeError and RangeError, which cannot be manipulated to execute arbitrary commands.
Exploitation of CVE-2026-42211 is structured as a two-stage attack chain. This requires a pre-existing prototype pollution vulnerability to be present within the application's dependencies or custom code. The first stage pollutes the global prototype with the target execution payload.
In the second stage, the attacker sends an HTTP request to the single-fetch data endpoint. This request contains a serialized payload designed to trigger the deserialization of a TYPE_ERROR. The payload specifies the polluted prototype property name as the error name, and the payload arguments as the command to execute.
When the deserializer parses the payload, it evaluates the polluted property name against the global object. Because of prototype inheritance, the lookup succeeds and resolves to the injected malicious function. The application then instantiates this function as a constructor, executing the command context.
The impact of successful exploitation is unauthenticated Remote Code Execution (RCE) on the host server. An attacker operating over the network can execute arbitrary system commands under the security context of the Node.js process.
This level of access allows complete compromise of the application environment. Attackers can read sensitive environmental variables, access database credentials, extract source code, or establish persistent remote access within the hosting infrastructure.
Although the attack complexity is rated as high due to the requirement of an auxiliary prototype pollution vulnerability, the severity remains significant. The vulnerability requires no user interaction and no privileges, allowing direct entry points to internal networks once the prerequisite prototype pollution condition is satisfied.
The primary remediation for this vulnerability is upgrading react-router to version 7.14.2 or later. This update restricts deserialization to explicitly supported error classes, effectively neutralizing the lookup vector.
If an immediate upgrade is not possible, organizations should deploy runtime mitigations. Node.js processes can be configured to disable prototype mutations globally by executing the application with specific runtime flags.
# Enforce runtime prototype protection
node --disable-proto=throw server.jsAdditionally, input sanitization should be enforced at the boundary level to detect and drop payloads containing prototype-polluting keys such as __proto__ or constructor.prototype. Freezing the base prototype using Object.freeze(Object.prototype) at application startup also prevents initial pollution.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H| Product | Affected Versions | Fixed Version |
|---|---|---|
react-router remix-run | >= 7.0.0, < 7.14.2 | 7.14.2 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-502 |
| Attack Vector | Network |
| CVSS Score | 8.1 |
| EPSS Score | 0.00252 |
| Exploit Status | poc |
| KEV Status | Not Listed |
A stored Cross-Site Scripting (XSS) vulnerability exists within plone.restapi, the REST API package for Plone content management system. By supplying a spoofed input MIME type (text/x-html-safe), an attacker can mislead the rendering layer (plone.app.textfield) into assuming that the supplied content is already sanitized. This causes the system to skip the safe_html transform, allowing arbitrary JavaScript to execute in the victim's browser when they view the compromised page.
An untrusted search path vulnerability in the GlobalDatabasePlugin component of the AWS Advanced JDBC Wrapper for Amazon Aurora PostgreSQL allows authenticated, low-privilege database users to hijack administrative session queries. By defining a custom function in a writable schema such as the public schema, an attacker can hijack queries executed automatically during driver-level topology detection. When a highly privileged database user connects to the database utilizing an affected version of the wrapper, the custom function executes under their security context, enabling remote privilege escalation to rds_superuser.
CVE-2026-27771 represents a critical security flaw in Gitea and Forgejo (up to and including version 1.26.1) involving missing authorization checks (CWE-862). Unauthenticated remote attackers can query, enumerate, and download private container images from the OCI-compliant container registry. Additionally, unauthorized users can retrieve private or internal source repository URLs via the Composer package registry metadata API. A public proof-of-concept exists, and threat metrics indicate highly active scanning and exploitation risks.
A missing authorization vulnerability in the Formie plugin for Craft CMS prior to version 3.1.28 allows low-privileged Control Panel users to read and modify sensitive administrative settings, configuration options, and third-party integrations.
CVE-2026-53598 is a directory traversal and arbitrary file read vulnerability in Microsoft Prompty ecosystem loaders across multiple languages. Prior to version 2.0.0-beta.2, the loaders resolved `${file:...}` reference strings inside frontmatter configuration blocks without enforcing that the target file paths resided within authorized directories. This deficiency allows an attacker-controlled configuration file to read sensitive operating system and application files through absolute paths, directory traversal, or symbolic link escapes. The issue is addressed across the Python, C#, Node.js/TypeScript, and Rust ecosystems.
A directory traversal vulnerability exists in the copy subcommand of the proot-distro utility. Due to incomplete path sanitization, local attackers or malicious scripts can read from or write to arbitrary files outside the container rootfs, bypassing isolation barriers and potentially gaining unauthorized access or persistent execution on the host system.