Description
A XSS vulnerability exists in in React Router’s meta()/<Meta> APIs in Framework Mode when generating script:ld+json tags which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the tag.
Recommendation
Update the @remix-run/react package to the latest compatible version. Followings are version details:
- Affected version(s): >= 1.15.0, <= 2.17.0
- Patched version(s): 2.17.1
References
Related Issues
- React Router SSR XSS in ScrollRestoration - CVE-2026-21884
- Cross-site scripting in Swagger-UI - CVE-2019-17495
- Path Traversal in simplehttpserver - CVE-2018-16478
- Cross-Site Scripting in html-pages - CVE-2018-16481
- Tags:
- npm
- @remix-run/react
Anything's wrong? Let us know Last updated on January 11, 2026