PatchSiren

PatchSiren cyber security CVE debrief

CVE-2025-59057 remix-run CVE debrief

CVE-2025-59057 is a high-severity XSS vulnerability affecting React Router's meta()/<Meta> APIs in Framework Mode. The issue exists in @remix-run/react versions 1.15.0 through 2.17.0 and react-router versions 7.0.0 through 7.8.2. An attacker could exploit this vulnerability to execute arbitrary JavaScript during Server-Side Rendering (SSR) if untrusted content is used to generate script:ld+json tags. The vulnerability has been patched in @remix-run/react version 2.17.1 and react-router version 7.9.0. There is no impact if the application is being used in Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).

Vendor
remix-run
Product
react-router
CVSS
HIGH 7.6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-01-10
Original CVE updated
2026-06-30
Advisory published
2026-01-10
Advisory updated
2026-06-30

Who should care

Developers using React Router in Framework Mode with @remix-run/react versions 1.15.0 through 2.17.0 or react-router versions 7.0.0 through 7.8.2 should be aware of this XSS vulnerability. Additionally, security teams and administrators responsible for maintaining applications that utilize these affected versions should prioritize patching to prevent potential attacks.

Technical summary

The vulnerability exists in React Router's meta()/<Meta> APIs in Framework Mode when generating script:ld+json tags. This could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the tag. The CVSS score for this vulnerability is 7.6, indicating a high severity. The vulnerability is patched in @remix-run/react version 2.17.1 and react-router version 7.9.0. Affected CPE criteria include cpe:2.3:a:shopify:react-router:*:*:*:*:*:node.js:*:* (version 7.0.0 through 7.8.2) and cpe:2.3:a:shopify:remix-run/react:*:*:*:*:*:node.js:*:* (version 1.15.0 through 2.17.0).

Defensive priority

This vulnerability should be prioritized for patching due to its high severity and potential for exploitation. Developers should update to @remix-run/react version 2.17.1 or react-router version 7.9.0 as soon as possible.

Recommended defensive actions

  • Update to @remix-run/react version 2.17.1 or later
  • Update to react-router version 7.9.0 or later
  • Review application usage of React Router's meta()/<Meta> APIs in Framework Mode
  • Ensure untrusted content is not used to generate script:ld+json tags
  • Consider using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) if possible

Evidence notes

The CVE record and NVD detail provide official information about the vulnerability. Additional references from Red Hat and GitHub offer further context and mitigation strategies. The CVE was published on January 10, 2026, and last modified on June 30, 2026.

Official resources

This article is AI-assisted and based on the supplied source corpus.