Description
A XSS vulnerability exists in in React Router’s <ScrollRestoration> API in Framework Mode when using the getKey/storageKey props during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys.
Recommendation
Update the @remix-run/react package to the latest compatible version. Followings are version details:
- Affected version(s): < 2.17.3
- Patched version(s): 2.17.3
References
Related Issues
- React Router has XSS Vulnerability - CVE-2025-59057
- Svelte affected by XSS in SSR `<option>` element - CVE-2026-27119
- Svelte: XSS via HTML Comment Injection in SSR Error Boundary Hydration Markers - CVE-2026-27902
- Svelte vulnerable to XSS during SSR with contenteditable `bind:innerText` and `bind:textContent` - CVE-2026-27901
- Tags:
- npm
- @remix-run/react
Anything's wrong? Let us know Last updated on January 11, 2026