CVE-2026-42342 - React Router __manifest path-expansion DoS

React Router Framework Mode applications and Remix applications can expose an unbounded path-expansion problem in the __manifest endpoint. A crafted request can consume disproportionate server resources and degrade response times or make the service unavailable. Declarative Mode (<BrowserRouter>) and Data Mode (createBrowserRouter / <RouterProvider>) are not affected.

This is a straightforward dependency fix, but production remediation should not stop there. The vulnerable surface is a request-driven server endpoint, so the safe recipe also adds route-specific throttling or request-budget protections where the repository controls the server boundary.

When to use it

Use this recipe when a React Router Framework Mode or Remix application exposes the __manifest endpoint from server-rendered routes. It supports source-code remediation, request-budget hardening, availability testing, and audit evidence that crafted manifest requests cannot degrade route serving.

Inputs

  • React Router, Remix, and server-runtime versions; package lockfiles; route tree; deployment platform; and endpoint-level rate/request limits.
  • Source paths for framework server entrypoints, manifest routes, proxy/cache configuration, throttling middleware, and observability.
  • Regression fixtures for crafted path-expansion requests, benign manifest requests, high-concurrency requests, and expected throttle/response behavior.
  • Boundary evidence: public endpoint exposure, caching layer, autoscaling, logs/metrics, and rollout owner.

Affected versions

Package Vulnerable versions Fixed versions
react-router >=7.0.0, <7.15.0 in Framework Mode 7.15.0+
@remix-run/server-runtime >=2.10.0, <2.17.5 2.17.5+

Indicator-of-exposure

  • The repository resolves vulnerable react-router or @remix-run/server-runtime versions.
  • The application uses React Router Framework Mode or Remix server runtime.
  • The runtime exposes __manifest over an internet-facing, partner-facing, or shared internal HTTP path.
  • The same app instance has tight CPU or memory budgets, shared multi-tenant workloads, or aggressive autoscaling costs where request amplification can become an availability event.
  • The gateway, CDN, or app server does not already enforce meaningful throttling, request budgets, or endpoint-specific abuse controls.

Quick checks:

rg -n "\"react-router\"|\"@remix-run/server-runtime\"|__manifest|createRequestHandler|HydratedRouter|remix|entry.server|ServerRouter|framework mode" .
npm ls react-router @remix-run/server-runtime
pnpm why react-router @remix-run/server-runtime
yarn why react-router @remix-run/server-runtime

Remediation strategy

  • Upgrade react-router to 7.15.0+.
  • Upgrade @remix-run/server-runtime to 2.17.5+ wherever Remix remains in use.
  • Regenerate lockfiles, image layers, package-manager metadata, SBOMs, and deployment artifacts.
  • Add server or gateway protections for __manifest: rate limiting, request size/path budget enforcement, or explicit endpoint shaping when this repo controls that layer.
  • Add regression tests that prove patched versions are resolved and that abuse-shaped requests no longer produce unbounded work.
  • Review observability and autoscaling alerts so repeat abuse is visible if the service is probed before rollout completes.

The prompt

You are remediating CVE-2026-42342 / GHSA-8x6r-g9mw-2r78, a React Router and
Remix Framework Mode `__manifest` resource-exhaustion issue. Produce exactly
one output:

- A reviewer-ready PR/change request that upgrades affected packages, adds safe
  endpoint protections and regression checks, refreshes generated artifacts,
  and documents operator actions, or
- TRIAGE.md if this repository does not control an affected Framework Mode or
  Remix runtime.

## Rules

- Scope only CVE-2026-42342 / GHSA-8x6r-g9mw-2r78 and directly related
  `__manifest` availability controls.
- Do not run traffic floods, synthetic DoS probes, or production stress tests
  against a live service.
- Treat tenant data, sessions, tokens, and internal URLs as sensitive.
- Do not remove routing features or downgrade authz checks just to bypass the
  endpoint.
- Do not auto-merge.

## Steps

1. Inventory every `react-router` and `@remix-run/server-runtime` dependency,
   lockfile, workspace, image, SBOM, and deployment artifact controlled by this
   repository.
2. Determine whether the application uses React Router Framework Mode or Remix.
   The target is vulnerable if `react-router >=7.0.0, <7.15.0` or
   `@remix-run/server-runtime >=2.10.0, <2.17.5` is resolved in an affected
   runtime.
3. Identify where `__manifest` is reachable: direct app server, gateway path,
   CDN origin, dev preview, or internal service mesh route.
4. If the repository does not control an affected runtime, stop with
   `TRIAGE.md` listing checked files, resolved versions, and the owning team if
   another platform supplies the runtime.
5. Upgrade `react-router` to `7.15.0+` and `@remix-run/server-runtime` to
   `2.17.5+` where applicable. Refresh lockfiles, package metadata, images,
   SBOMs, and rendered deployment output.
6. Add defense in depth where this repository controls the server boundary:
   - rate limit `__manifest`;
   - apply request path or segment-count validation;
   - set endpoint-specific timeouts or work budgets if available;
   - document any gateway/CDN rule needed until rollout is complete.
7. Add safe regression checks:
   - dependency policy confirms patched versions;
   - framework/remix route tests cover `__manifest`;
   - abuse-shaped requests are rejected or bounded without load testing;
   - observability or logs can distinguish repeated endpoint abuse.
8. Add a PR body section named `CVE-2026-42342 operator actions` that states:
   - package versions before and after;
   - whether Framework Mode or Remix is used;
   - how `__manifest` is exposed;
   - what throttling or request-budget protections were added;
   - which alerts or dashboards should be watched during rollout.
9. Run available validation: package install, unit tests, route tests, build,
   lint/typecheck, SBOM refresh, dependency/security scans, and deployment
   rendering.
10. Use PR title:
    `fix(sec): remediate CVE-2026-42342 in React Router`.

## Stop conditions

- No affected Framework Mode or Remix runtime is controlled by this repository.
- Only Declarative Mode or Data Mode is used.
- A fixed version cannot be adopted without a broader framework migration;
  document the owner and temporary endpoint containment.
- Verification would require live load generation against a shared or
  production service.
- Validation fails for unrelated pre-existing reasons; document those failures
  instead of broadening scope.

Output contract

  • A reviewer-ready PR or change request that upgrades React Router/Remix, adds manifest-endpoint regression checks, applies route-specific throttling or request budgets, and documents rollout.
  • Or a TRIAGE.md file that lists inspected files, owner, observed versions, manifest exposure, request-budget control, required fix, and residual risk.
  • The output must include exact validation commands and must not load-test production endpoints or disclose route/tenant data.

Verification - what the reviewer looks for

  • No lockfile, workspace, image, or SBOM resolves affected package versions.
  • __manifest exposure is either patched and bounded or clearly documented as not present.
  • Safe tests cover the endpoint without a real DoS attempt.
  • Rollout notes cover temporary rate limiting or endpoint shaping if needed.

Watch for

  • Updating react-router but leaving @remix-run/server-runtime pinned in a different workspace.
  • Assuming every React Router app exposes __manifest.
  • Adding gateway throttling while a second ingress path bypasses that control.
  • Treating a dev preview or shared internal deployment as harmless when it can still consume shared resources.

References