CVE-2025-59057
Published: 10 January 2026
Summary
CVE-2025-59057 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Shopify React-Router. Its CVSS base score is 7.6 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 5.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XSS in public-facing SSR web app directly enables drive-by compromise and exploitation of public-facing applications via malicious content injection leading to JS execution.
NVD Description
React Router is a router for React. In @remix-run/react versions 1.15.0 through 2.17.0. and react-router versions 7.0.0 through 7.8.2, a XSS vulnerability exists in in React Router's meta()/<Meta> APIs in Framework Mode when generating script:ld+json tags which could allow arbitrary…
more
JavaScript execution during SSR if untrusted content is used to generate the tag. There is no impact if the application is being used in Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>). This issue has been patched in @remix-run/react version 2.17.1 and react-router version 7.9.0.
Deeper analysisAI
CVE-2025-59057 is a cross-site scripting (XSS) vulnerability (CWE-79) in React Router, a routing library for React applications. The flaw affects the meta() and <Meta> APIs when operating in Framework Mode during server-side rendering (SSR), specifically when generating script:ld+json tags using untrusted content, which can enable arbitrary JavaScript execution. Vulnerable versions include @remix-run/react from 1.15.0 through 2.17.0 and react-router from 7.0.0 through 7.8.2. There is no impact on applications using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).
The vulnerability has a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N), indicating network accessibility, low attack complexity, requirement for low privileges, and user interaction. An attacker with low privileges could supply untrusted content to the affected APIs, tricking users into triggering the SSR-generated tags and achieving arbitrary JavaScript execution in the victim's browser, primarily impacting confidentiality through cross-site scripting.
The issue has been addressed in @remix-run/react version 2.17.1 and react-router version 7.9.0. Additional details on the vulnerability and mitigation are available in the GitHub security advisory at https://github.com/remix-run/react-router/security/advisories/GHSA-3cgp-3xvw-98x8.
Details
- CWE(s)