CVE-2026-42342 - React Router __manifest path-expansion DoS
React Router Framework Mode applications and Remix applications can expose an
unbounded path-expansion problem in the __manifest endpoint. A crafted
request can consume disproportionate server resources and degrade response
times or make the service unavailable. Declarative Mode (<BrowserRouter>) and
Data Mode (createBrowserRouter / <RouterProvider>) are not affected.
This is a straightforward dependency fix, but production remediation should not stop there. The vulnerable surface is a request-driven server endpoint, so the safe recipe also adds route-specific throttling or request-budget protections where the repository controls the server boundary.
When to use it
Use this recipe when a React Router Framework Mode or Remix application exposes
the __manifest endpoint from server-rendered routes. It supports source-code
remediation, request-budget hardening, availability testing, and audit evidence
that crafted manifest requests cannot degrade route serving.
Inputs
- React Router, Remix, and server-runtime versions; package lockfiles; route tree; deployment platform; and endpoint-level rate/request limits.
- Source paths for framework server entrypoints, manifest routes, proxy/cache configuration, throttling middleware, and observability.
- Regression fixtures for crafted path-expansion requests, benign manifest requests, high-concurrency requests, and expected throttle/response behavior.
- Boundary evidence: public endpoint exposure, caching layer, autoscaling, logs/metrics, and rollout owner.
Affected versions
| Package | Vulnerable versions | Fixed versions |
|---|---|---|
react-router |
>=7.0.0, <7.15.0 in Framework Mode |
7.15.0+ |
@remix-run/server-runtime |
>=2.10.0, <2.17.5 |
2.17.5+ |
Indicator-of-exposure
- The repository resolves vulnerable
react-routeror@remix-run/server-runtimeversions. - The application uses React Router Framework Mode or Remix server runtime.
- The runtime exposes
__manifestover an internet-facing, partner-facing, or shared internal HTTP path. - The same app instance has tight CPU or memory budgets, shared multi-tenant workloads, or aggressive autoscaling costs where request amplification can become an availability event.
- The gateway, CDN, or app server does not already enforce meaningful throttling, request budgets, or endpoint-specific abuse controls.
Quick checks:
rg -n "\"react-router\"|\"@remix-run/server-runtime\"|__manifest|createRequestHandler|HydratedRouter|remix|entry.server|ServerRouter|framework mode" .
npm ls react-router @remix-run/server-runtime
pnpm why react-router @remix-run/server-runtime
yarn why react-router @remix-run/server-runtime
Remediation strategy
- Upgrade
react-routerto7.15.0+. - Upgrade
@remix-run/server-runtimeto2.17.5+wherever Remix remains in use. - Regenerate lockfiles, image layers, package-manager metadata, SBOMs, and deployment artifacts.
- Add server or gateway protections for
__manifest: rate limiting, request size/path budget enforcement, or explicit endpoint shaping when this repo controls that layer. - Add regression tests that prove patched versions are resolved and that abuse-shaped requests no longer produce unbounded work.
- Review observability and autoscaling alerts so repeat abuse is visible if the service is probed before rollout completes.
The prompt
You are remediating CVE-2026-42342 / GHSA-8x6r-g9mw-2r78, a React Router and
Remix Framework Mode `__manifest` resource-exhaustion issue. Produce exactly
one output:
- A reviewer-ready PR/change request that upgrades affected packages, adds safe
endpoint protections and regression checks, refreshes generated artifacts,
and documents operator actions, or
- TRIAGE.md if this repository does not control an affected Framework Mode or
Remix runtime.
## Rules
- Scope only CVE-2026-42342 / GHSA-8x6r-g9mw-2r78 and directly related
`__manifest` availability controls.
- Do not run traffic floods, synthetic DoS probes, or production stress tests
against a live service.
- Treat tenant data, sessions, tokens, and internal URLs as sensitive.
- Do not remove routing features or downgrade authz checks just to bypass the
endpoint.
- Do not auto-merge.
## Steps
1. Inventory every `react-router` and `@remix-run/server-runtime` dependency,
lockfile, workspace, image, SBOM, and deployment artifact controlled by this
repository.
2. Determine whether the application uses React Router Framework Mode or Remix.
The target is vulnerable if `react-router >=7.0.0, <7.15.0` or
`@remix-run/server-runtime >=2.10.0, <2.17.5` is resolved in an affected
runtime.
3. Identify where `__manifest` is reachable: direct app server, gateway path,
CDN origin, dev preview, or internal service mesh route.
4. If the repository does not control an affected runtime, stop with
`TRIAGE.md` listing checked files, resolved versions, and the owning team if
another platform supplies the runtime.
5. Upgrade `react-router` to `7.15.0+` and `@remix-run/server-runtime` to
`2.17.5+` where applicable. Refresh lockfiles, package metadata, images,
SBOMs, and rendered deployment output.
6. Add defense in depth where this repository controls the server boundary:
- rate limit `__manifest`;
- apply request path or segment-count validation;
- set endpoint-specific timeouts or work budgets if available;
- document any gateway/CDN rule needed until rollout is complete.
7. Add safe regression checks:
- dependency policy confirms patched versions;
- framework/remix route tests cover `__manifest`;
- abuse-shaped requests are rejected or bounded without load testing;
- observability or logs can distinguish repeated endpoint abuse.
8. Add a PR body section named `CVE-2026-42342 operator actions` that states:
- package versions before and after;
- whether Framework Mode or Remix is used;
- how `__manifest` is exposed;
- what throttling or request-budget protections were added;
- which alerts or dashboards should be watched during rollout.
9. Run available validation: package install, unit tests, route tests, build,
lint/typecheck, SBOM refresh, dependency/security scans, and deployment
rendering.
10. Use PR title:
`fix(sec): remediate CVE-2026-42342 in React Router`.
## Stop conditions
- No affected Framework Mode or Remix runtime is controlled by this repository.
- Only Declarative Mode or Data Mode is used.
- A fixed version cannot be adopted without a broader framework migration;
document the owner and temporary endpoint containment.
- Verification would require live load generation against a shared or
production service.
- Validation fails for unrelated pre-existing reasons; document those failures
instead of broadening scope.
Output contract
- A reviewer-ready PR or change request that upgrades React Router/Remix, adds manifest-endpoint regression checks, applies route-specific throttling or request budgets, and documents rollout.
- Or a
TRIAGE.mdfile that lists inspected files, owner, observed versions, manifest exposure, request-budget control, required fix, and residual risk. - The output must include exact validation commands and must not load-test production endpoints or disclose route/tenant data.
Verification - what the reviewer looks for
- No lockfile, workspace, image, or SBOM resolves affected package versions.
__manifestexposure is either patched and bounded or clearly documented as not present.- Safe tests cover the endpoint without a real DoS attempt.
- Rollout notes cover temporary rate limiting or endpoint shaping if needed.
Watch for
- Updating
react-routerbut leaving@remix-run/server-runtimepinned in a different workspace. - Assuming every React Router app exposes
__manifest. - Adding gateway throttling while a second ingress path bypasses that control.
- Treating a dev preview or shared internal deployment as harmless when it can still consume shared resources.
Related recipes
- Source code attack surface map
- Source code authz tenant boundary audit
- OWASP Top 10 2026 audit
- SAST finding triage and fix