CVE-2026-22029
Published: 10 January 2026
Summary
CVE-2026-22029 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Shopify Remix-Run\/React. Its CVSS base score is 8.0 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique JavaScript (T1059.007); ranked at the 3.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mandates timely remediation of flaws like CVE-2026-22029 by updating vulnerable React Router versions to patched releases.
Requires validation of untrusted inputs used in loaders or actions to block unsafe URLs that enable JavaScript execution via open redirects.
Filters redirect outputs to prevent injection of malicious URLs leading to client-side XSS in affected React Router modes.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
XSS in public-facing React Router enables arbitrary JS execution (T1059.007) via malicious links/redirects (T1204.001, T1189) against exposed web apps (T1190).
NVD Description
React Router is a router for React. In @remix-run/router version prior to 1.23.2. and react-router 7.0.0 through 7.11.0, React Router (and Remix v1/v2) SPA open navigation redirects originating from loaders or actions in Framework Mode, Data Mode, or the unstable…
more
RSC modes can result in unsafe URLs causing unintended javascript execution on the client. This is only an issue if you are creating redirect paths from untrusted content or via an open redirect. There is no impact if Declarative Mode (<BrowserRouter>) is being used. This issue has been patched in @remix-run/router version 1.23.2 and react-router version 7.12.0.
Deeper analysisAI
CVE-2026-22029 is a cross-site scripting (XSS) vulnerability, classified under CWE-79, affecting React Router, a routing library for React applications. It impacts @remix-run/router versions prior to 1.23.2 and react-router versions 7.0.0 through 7.11.0, including Remix v1 and v2. The flaw occurs in single-page application (SPA) open navigation redirects originating from loaders or actions when using Framework Mode, Data Mode, or unstable RSC modes. These redirects can lead to unsafe URLs that cause unintended JavaScript execution on the client side. The vulnerability carries a CVSS v3.1 base score of 8.0 (AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N) and has no impact when using Declarative Mode, such as <BrowserRouter>.
Attackers can exploit this issue if applications create redirect paths from untrusted content or via open redirects. No privileges are required (PR:N), but exploitation demands network access (AV:N), high attack complexity (AC:H), and user interaction (UI:R). Successful exploitation changes the scope (S:C) and allows remote attackers to achieve high confidentiality and integrity impacts (C:H/I:H), such as executing arbitrary JavaScript in the victim's browser context.
The GitHub security advisory at https://github.com/remix-run/react-router/security/advisories/GHSA-2w69-qvjg-hvjx confirms the issue has been patched in @remix-run/router version 1.23.2 and react-router version 7.12.0. Security practitioners should update to these versions and review applications for reliance on untrusted redirect sources in the affected modes to mitigate risks.
Details
- CWE(s)