Bug 2484116 (CVE-2026-42342) - CVE-2026-42342 react-router: @remix-run/server-runtime: React Router / Remix: Denial of Service via unbounded path expansion in __manifest endpoint
Summary: CVE-2026-42342 react-router: @remix-run/server-runtime: React Router / Remix:...
Keywords:
Status: NEW
Alias: CVE-2026-42342
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-06-02 20:02 UTC by OSIDB Bzimport
Modified: 2026-07-02 12:17 UTC (History)
182 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description OSIDB Bzimport 2026-06-02 20:02:32 UTC
React Router is a router for React. In versions 7.0.0 through 7.14.x of react-router and versions 2.10.0 through 2.17.4 of @remix-run/server-runtime, certain crafted requests can consume disproportionate server resources via unbounded path expansion in the __manifest endpoint, resulting in response time degradation and/or service unavailability for end users. This affects React Router Framework Mode applications as well as Remix applications. This does not impact applications using Declarative Mode (`<BrowserRouter>`) or Data Mode (`createBrowserRouter/<RouterProvider>`). This is patched in react-router version 7.15.0 and @remix-run/server-runtime version 2.17.5.

Comment 2 David Hanina 2026-06-03 06:49:25 UTC
As FreeIPA goes, we can safely waive this one, as we use Declarative mode, which is not affected


Note You need to log in before you can comment on or make changes to this bug.