Jun 3, 2026·6 min read·47 visits
A high-severity Denial of Service vulnerability in React Router (v7 Framework Mode) and Remix (v2) allows unauthenticated remote attackers to exhaust server resources and freeze the Node.js event loop via unbounded path expansion requests to the manifest resolution engine. Upgrade to react-router v7.15.0 or @remix-run/server-runtime v2.17.5 to resolve.
An Uncontrolled Resource Consumption vulnerability (CWE-400) affects React Router in Framework Mode and Remix server runtimes. A remote, unauthenticated attacker can trigger unbounded recursive path expansion in the manifest resolution component, leading to 100% CPU exhaustion and complete Denial of Service. The vulnerability arises because the server does not enforce depth limits when parsing deeply nested path segments in requests directed to the dynamic manifest evaluation endpoints. This blocks the single-threaded Node.js event loop, preventing the processing of subsequent client requests. The issue is resolved in react-router v7.15.0 and @remix-run/server-runtime v2.17.5. Applications using React Router in client-side-only Declarative or Data modes are unaffected.
React Router Framework Mode and Remix architectures integrate server-side routing engines to optimize dynamic web application client experiences. During build initialization, the compiler builds a hierarchical route manifest tracking dependencies, assets, and route parameters. The server exposes the internal __manifest endpoint to dynamically serve portions of this structural mapping to the browser runtime during page transitions. This architecture requires parsing and resolving incoming request paths sequentially against the defined layout hierarchy.\n\nThe vulnerability designated as CVE-2026-42342 lies within this manifest-resolution process in @remix-run/server-runtime and the react-router Framework Mode packages. The parsing component fails to enforce boundaries on the input parameters of incoming path-expansion requests. This flaw is classified as CWE-400 (Uncontrolled Resource Consumption), enabling a remote, unauthenticated attacker to exhaust critical server assets.\n\nBecause the resolution component executes synchronously within the main execution thread, the application is highly vulnerable to denial of service. Standard configurations exposing this endpoint directly to the internet allow external actors to execute targets. This analysis details the underlying failure logic, exploitation mechanics, and validation remediations necessary to secure the application layers.
The root cause of CVE-2026-42342 is located in the route-matching and dynamic-expansion function inside @remix-run/server-runtime. When a user requests assets via the __manifest endpoint, the system extracts the path segments from the URL structure. It then maps these elements recursively against the configured routing hierarchy to build a dynamic subset of application requirements.\n\nIn vulnerable configurations, this matching mechanism iterates over each dynamic directory segment using a nested, recursive algorithm. The path resolution implementation lacks an explicit depth limitation or iteration ceiling. When processing an input path containing thousands of nested parameters, the execution cycle descends recursively without bounds.\n\nThe algorithmic complexity of this matching pattern scales non-linearly with the number of path segments, resulting in high-density processing overhead. Because the evaluation logic runs entirely inside the single-threaded Node.js environment, the synchronous recursion starves the event loop. The thread remains locked in memory and execution loops, completely preventing context switching to resolve adjacent network packets.
To illustrate the vulnerability, we examine the logic that performs dynamic route matching. The vulnerable code pattern recursively steps through routing directories without a defined depth boundary or parameter constraint count:\n\ntypescript\n// Vulnerable Path Expansion Implementation\nfunction expandRouteManifest(segments: string[], currentTree: RouteNode): RouteManifest {\n // No upper-boundary check or maximum recursion limit exists here\n const segment = segments[0];\n if (!segment || segments.length === 0) {\n return buildRouteMap(currentTree);\n }\n\n const matchedNode = findMatchingNode(segment, currentTree.children);\n if (matchedNode) {\n // Recursive call continues processing next segment without stack limit validation\n return expandRouteManifest(segments.slice(1), matchedNode);\n }\n return {};\n}\n\n\nThe remediation implements strict array validation and limits the maximum recursion depth allowed during manifest requests. The patched implementation enforces safe resource parameters to terminate execution before stack overflow or event loop starvation occurs:\n\ntypescript\n// Patched Path Expansion Implementation\nconst MAX_PATH_DEPTH = 32; // Enforces strict boundary limit on nested segments\n\nfunction expandRouteManifestSafe(segments: string[], currentTree: RouteNode, depth = 0): RouteManifest {\n // Patched: Check to prevent deep path traversal and eventual thread starvation\n if (depth > MAX_PATH_DEPTH) {\n throw new Error(\"Path depth limit exceeded: execution terminated\");\n }\n \n const segment = segments[0];\n if (!segment || segments.length === 0) {\n return buildRouteMap(currentTree);\n }\n\n const matchedNode = findMatchingNode(segment, currentTree.children);\n if (matchedNode) {\n // Patched: Tracks and increments depth parameters safely\n return expandRouteManifestSafe(segments.slice(1), matchedNode, depth + 1);\n }\n return {};\n}\n\n\nmermaid\ngraph LR\n A[\"Attacker Payload\"] --> B[\"__manifest Endpoint\"]\n B --> C[\"Path Split & Expansion Engine\"]\n C --> D[\"Recursive Route Tree Traversal\"]\n D --> E[\"Single Event Loop Blocked\"]\n E --> F[\"Full Application Outage\"]\n
Exploitation of CVE-2026-42342 requires zero authentication and basic toolsets. The attack takes advantage of the exposed nature of the application manifest system, which is open by design to facilitate client route state management. An attacker must identify an active React Router v7 or Remix v2 framework application deployment.\n\nThe attack relies on sending a crafted HTTP request with a high count of path segments. By appending thousands of repeating sub-directories to the path targeting the manifest evaluation routine, the attacker forces the engine into loop exhaustion. A simple curl utility command demonstrates this behavior in target testing environments.\n\nUpon receiving the packet, the server runtime locks up immediately as the event loop struggles to execute the recursive matching tree. System monitors show immediate 100% CPU capacity utilization on the active process. Legitimately routed traffic fails to negotiate TCP connection hands, producing timeout errors at the client tier.
The security impact of this vulnerability is characterized as high-severity denial of service. The CVSS score of 7.5 highlights the potential for complete resource starvation with minimal execution complexity. No confidential data is disclosed, and database state integrity remains unmodified, keeping the Confidentiality and Integrity metrics at None.\n\nThe architectural footprint of Node.js increases the impact of CWE-400. Unlike multi-threaded runtimes that spin up separate threads to manage concurrent connections, Node.js relies on asynchronous task resolution on a single main thread. A single CPU-bound blocker within the path traversal loop prevents all pending database interactions, HTTP handshakes, and asset routing resolutions from completing.\n\nThis total interruption of service results in operational downtime. For commercial platforms, an active exploitation attempt degrades application performance, inducing transactions failures and triggering load-balancer health-check dropouts. The operational severity remains significant until process-level reboots or service restarts are executed.
The primary remediation strategy requires upgrading the core npm packages to versions where recursion safety boundaries are implemented. Applications utilizing React Router v7 should migrate immediately to version 7.15.0 or higher. Applications built on Remix v2 should update the @remix-run/server-runtime to version 2.17.5 or higher.\n\nWhen immediate library upgrades are prevented by software release cycles, edge-level mitigations must be configured. Web Application Firewalls (WAF) should be updated to drop incoming requests with high path segment counts. Rules blocking requests that contain more than eight path boundaries inside manifest-bound queries prevent resource saturation.\n\nFurthermore, reverse proxy servers like Nginx or HAProxy can enforce URI length and segment limitation rules to reject malicious patterns before reaching node runtimes. Security teams should execute automated scanning using target testing signatures to verify mitigation efficacy. Enforcing these combined boundary limits reduces exposure and maintains service reliability.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H| Product | Affected Versions | Fixed Version |
|---|---|---|
react-router Remix | >= 7.0.0, < 7.15.0 | 7.15.0 |
@remix-run/server-runtime Remix | >= 2.10.0, < 2.17.5 | 2.17.5 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-400 |
| Attack Vector | Network (AV:N) |
| CVSS Score | 7.5 |
| EPSS Score | 0.00051 (16.30% percentile) |
| Exploit Status | Theoretical / Proof of Concept Only |
| CISA KEV Status | Not Listed |
| Impact | Denial of Service (DoS) via CPU Exhaustion |
The software does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, leading to exhaustion.
CVE-2026-53598 is a directory traversal and arbitrary file read vulnerability in Microsoft Prompty ecosystem loaders across multiple languages. Prior to version 2.0.0-beta.2, the loaders resolved `${file:...}` reference strings inside frontmatter configuration blocks without enforcing that the target file paths resided within authorized directories. This deficiency allows an attacker-controlled configuration file to read sensitive operating system and application files through absolute paths, directory traversal, or symbolic link escapes. The issue is addressed across the Python, C#, Node.js/TypeScript, and Rust ecosystems.
A directory traversal vulnerability exists in the copy subcommand of the proot-distro utility. Due to incomplete path sanitization, local attackers or malicious scripts can read from or write to arbitrary files outside the container rootfs, bypassing isolation barriers and potentially gaining unauthorized access or persistent execution on the host system.
An authorization bypass vulnerability in the Open Policy Agent (OPA) integration of the Skipper HTTP router allows unauthenticated remote attackers to bypass OPA policy inspection. When an incoming HTTP request declares a Content-Length exceeding Skipper's configured maxBodyBytes limit, Skipper bypasses body parsing and forwards an empty document to OPA, while transmitting the full, uninspected payload intact to the upstream backend.
CVE-2026-53597 is a high-severity code injection vulnerability in Microsoft's prompty library, specifically affecting the TypeScript loader (@prompty/core). Due to an insecure default configuration in the underlying gray-matter metadata parser, processing untrusted prompt files containing executable JavaScript blocks inside the frontmatter results in arbitrary remote code execution within the security context of the parent Node.js process.
An arbitrary code generation injection vulnerability in the oapi-codegen OpenAPI toolchain allows remote attackers to inject executable Go statements into compiled outputs via manipulated specifications.
A severe denial-of-service (DoS) vulnerability exists in the speech-to-text API endpoints of the vLLM serving engine from version 0.22.0 to 0.23.0. The flaw is triggered by the direct deserialization and reading of uploaded files into RAM prior to validating file-size limits. An authenticated attacker can exploit this behavior by submitting large file payloads, causing resource starvation and forcing the operating system kernel to terminate the serving process.