Description
A XSS vulnerability exists in in React Router’s meta()/<Meta> APIs in Framework Mode when generating script:ld+json tags which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the tag.
Recommendation
Update the @remix-run/react package to the latest compatible version. Followings are version details:
- Affected version(s): >= 1.15.0, <= 2.17.0
- Patched version(s): 2.17.1
References
Related Issues
- Nuxt MDC has an XSS vulnerability in markdown rendering that bypasses HTML filtering - CVE-2025-54075
- React Router has Path Traversal in File Session Storage (GHSA-9583-h5hc-x8cw) - CVE-2025-61686
- React Router has Path Traversal in File Session Storage - CVE-2025-61686
- React Router SSR XSS in ScrollRestoration - CVE-2026-21884
- Tags:
- npm
- @remix-run/react
Anything's wrong? Let us know Last updated on January 11, 2026