Published 2025
Stored XSS Vulnerability in React Router
React Router, a widely used routing library in the React ecosystem with 90 million weekly downloads, is affected by a stored cross-site scripting (XSS) issue under specific input handling conditions. This may allow persistent script execution impacting application users.
Summary
This vulnerability allows attackers to inject malicious scripts that persist and execute when other users interact with the affected routes. The stored nature of this XSS means the payload remains in the application state, potentially affecting all users who navigate to the compromised route.
Impact
- Session hijacking through cookie theft
- Credential harvesting via fake login forms
- Malware distribution to application users
- Defacement of application content
Affected Versions
React Router versions prior to the security patch. See the official advisory for specific version numbers.
Credits & Disclosure
Identified by BugBunny.ai and responsibly disclosed to the React Router maintainers.