PatchSiren cyber security CVE debrief
CVE-2025-59057 remix-run CVE debrief
CVE-2025-59057 is a high-severity XSS vulnerability affecting React Router's meta()/<Meta> APIs in Framework Mode. The issue exists in @remix-run/react versions 1.15.0 through 2.17.0 and react-router versions 7.0.0 through 7.8.2. An attacker could exploit this vulnerability to execute arbitrary JavaScript during Server-Side Rendering (SSR) if untrusted content is used to generate script:ld+json tags. The vulnerability has been patched in @remix-run/react version 2.17.1 and react-router version 7.9.0. There is no impact if the application is being used in Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).
- Vendor
- remix-run
- Product
- react-router
- CVSS
- HIGH 7.6
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-01-10
- Original CVE updated
- 2026-06-30
- Advisory published
- 2026-01-10
- Advisory updated
- 2026-06-30
Who should care
Developers using React Router in Framework Mode with @remix-run/react versions 1.15.0 through 2.17.0 or react-router versions 7.0.0 through 7.8.2 should be aware of this XSS vulnerability. Additionally, security teams and administrators responsible for maintaining applications that utilize these affected versions should prioritize patching to prevent potential attacks.
Technical summary
The vulnerability exists in React Router's meta()/<Meta> APIs in Framework Mode when generating script:ld+json tags. This could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the tag. The CVSS score for this vulnerability is 7.6, indicating a high severity. The vulnerability is patched in @remix-run/react version 2.17.1 and react-router version 7.9.0. Affected CPE criteria include cpe:2.3:a:shopify:react-router:*:*:*:*:*:node.js:*:* (version 7.0.0 through 7.8.2) and cpe:2.3:a:shopify:remix-run/react:*:*:*:*:*:node.js:*:* (version 1.15.0 through 2.17.0).
Defensive priority
This vulnerability should be prioritized for patching due to its high severity and potential for exploitation. Developers should update to @remix-run/react version 2.17.1 or react-router version 7.9.0 as soon as possible.
Recommended defensive actions
- Update to @remix-run/react version 2.17.1 or later
- Update to react-router version 7.9.0 or later
- Review application usage of React Router's meta()/<Meta> APIs in Framework Mode
- Ensure untrusted content is not used to generate script:ld+json tags
- Consider using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>) if possible
Evidence notes
The CVE record and NVD detail provide official information about the vulnerability. Additional references from Red Hat and GitHub offer further context and mitigation strategies. The CVE was published on January 10, 2026, and last modified on June 30, 2026.
Official resources
-
CVE-2025-59057 CVE record
CVE.org
-
CVE-2025-59057 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Third Party Advisory
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
-
Source reference
0b0ca135-0b70-47e7-9f44-1890c2a1c46c
This article is AI-assisted and based on the supplied source corpus.