Cyber Resilience

CVE-2025-59057

High

Published: 10 January 2026

Published
10 January 2026
Modified
30 January 2026
KEV Added
Patch
CVSS Score v3.1 7.6 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
EPSS Score 0.0001 1.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-59057 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Shopify React-Router. Its CVSS base score is 7.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Drive-by Compromise (T1189); ranked at the 1.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2025-59057 is a cross-site scripting (XSS) vulnerability (CWE-79) in React Router, a routing library for React applications. The flaw affects the meta() and <Meta> APIs when operating in Framework Mode during server-side rendering (SSR), specifically when generating script:ld+json tags using untrusted content, which can enable arbitrary JavaScript execution. Vulnerable versions include @remix-run/react from 1.15.0 through 2.17.0 and react-router from 7.0.0 through 7.8.2. There is no impact on applications using Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>).

The vulnerability has a CVSS v3.1 base score of 7.6 (AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N), indicating network accessibility, low attack complexity, requirement for low privileges, and user interaction. An attacker with low privileges could supply untrusted content to the affected APIs, tricking users into triggering the SSR-generated tags and achieving arbitrary JavaScript execution in the victim's browser, primarily impacting confidentiality through cross-site scripting.

The issue has been addressed in @remix-run/react version 2.17.1 and react-router version 7.9.0. Additional details on the vulnerability and mitigation are available in the GitHub security advisory at https://github.com/remix-run/react-router/security/advisories/GHSA-3cgp-3xvw-98x8.

EU & UK References

Vulnerability details

React Router is a router for React. In @remix-run/react versions 1.15.0 through 2.17.0. and react-router versions 7.0.0 through 7.8.2, a XSS vulnerability exists in in React Router's meta()/<Meta> APIs in Framework Mode when generating script:ld+json tags which could allow arbitrary…

more

JavaScript execution during SSR if untrusted content is used to generate the tag. There is no impact if the application is being used in Declarative Mode (<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>). This issue has been patched in @remix-run/react version 2.17.1 and react-router version 7.9.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

XSS in public-facing SSR web app directly enables drive-by compromise and exploitation of public-facing applications via malicious content injection leading to JS execution.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-22029Same product: Shopify React-Router
CVE-2026-21884Same product: Shopify React-Router
CVE-2026-33245Same product: Shopify React-Router
CVE-2026-42211Same product: Shopify React-Router
CVE-2024-13329Shared CWE-79
CVE-2026-1216Shared CWE-79
CVE-2025-13002Shared CWE-79
CVE-2025-27500Shared CWE-79
CVE-2026-1931Shared CWE-79
CVE-2025-28917Shared CWE-79

Affected Assets

shopify
react-router
7.0.0 — 7.8.2
shopify
remix-run\/react
1.15.0 — 2.17.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely patching of the vulnerable React Router versions (to 2.17.1 or 7.9.0) directly remediates the XSS flaw in meta()/<Meta> APIs during SSR.

prevent

Filtering SSR-generated script:ld+json tags for malicious content prevents arbitrary JavaScript execution from untrusted inputs.

prevent

Validating untrusted content supplied to meta()/<Meta> APIs ensures no malicious JavaScript payloads are used to generate vulnerable tags.

References