GHSA-8v8x-cx79-35w7
Suggest an improvement- Source
- https://github.com/advisories/GHSA-8v8x-cx79-35w7
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/01/GHSA-8v8x-cx79-35w7/GHSA-8v8x-cx79-35w7.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-8v8x-cx79-35w7
- Aliases
- Published
- 2026-01-08T20:50:05Z
- Modified
- 2026-01-11T15:03:40.014558Z
- Severity
-
- 8.2 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N CVSS Calculator
- Summary
- React Router SSR XSS in ScrollRestoration
- Details
-
A XSS vulnerability exists in in React Router's
<ScrollRestoration>API in Framework Mode when using thegetKey/storageKeyprops during Server-Side Rendering which could allow arbitrary JavaScript execution during SSR if untrusted content is used to generate the keys.[!NOTE] This does not impact applications if developers have disabled server-side rendering in Framework Mode, or if they are using Declarative Mode (
<BrowserRouter>) or Data Mode (createBrowserRouter/<RouterProvider>). - Database specific
{ "cwe_ids": [ "CWE-79" ], "nvd_published_at": "2026-01-10T03:15:48Z", "github_reviewed_at": "2026-01-08T20:50:05Z", "github_reviewed": true, "severity": "HIGH" }- References
Affected packages
npm / react-router
Package
- Name
- react-router
- View open source insights on deps.dev
- Purl
- pkg:npm/react-router
npm / @remix-run/react
Package
- Name
- @remix-run/react
- View open source insights on deps.dev
- Purl
- pkg:npm/%40remix-run/react